Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antimalware Doctor


  • This topic is locked This topic is locked
11 replies to this topic

#1 muddy90

muddy90

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 23 June 2010 - 05:36 AM

Hi

I am trying to clean up a Compac Mini netbook which appears to be infected with Antimalware Doctor.

Superantispyware running in safe mode identifies the problem but is unable to successfully remove it.

Attached are the DDS reports and the GMER log.

Any help greatly appreciated

Attached Files

  • Attached File  ark.txt   87.52KB   7 downloads
  • Attached File  DDS.txt   12.37KB   7 downloads


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:04 PM

Posted 28 June 2010 - 08:15 AM

Hello muddy90

Welcome to BleepingComputer smile.gif
========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
If you decide to clean it please do the following.

=================
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 muddy90

muddy90
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 28 June 2010 - 08:59 AM

Hi

Thanks for the response, I've already counselled the owner to change all his passwords and notify his bank that he's infected.

I've downloaded Combofix, but when I run it it gets to the stage of installing the Recovery console the asks me to answer yes when the EULA appears, however the EULA screen doesn't appear, and the system then states that i didn't press yes when asked, however I didn't get asked. The only option it gives you is to end or continue scanning. It then tells me it found a Rootkit.
The box says Combofix has detected the presence of rootkit activity and needs to reboot the machine. The only option is to reboot. What's the best course of action bearing in mind that I couldn't install the MS Recovery Console when it wanted it.

Combofix completed sucessfully and the results log.txt is attached

regards Mike

Attached Files

  • Attached File  log.txt   19.08KB   9 downloads

Edited by muddy90, 28 June 2010 - 09:39 AM.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:04 PM

Posted 28 June 2010 - 12:47 PM

Hmm ok it ran fine but this time let's try to get the recovery console added in.

Please go here again > http://www.bleepingcomputer.com/combofix/how-to-use-combofix and scroll down until you see the instructions for Manually installing the Recovery Console
Try to manually download it and drag and drop it onto Combofix and post the resulting log.

If it fails we will move on.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 muddy90

muddy90
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 29 June 2010 - 03:39 AM

Hi
Successfully installed Recovery Console as per instructions, re-running Combofix error message below appeared

"Rootkit TDL3

Rootkit activity persists. Have to attempt other methods
Comcofix needs to reboot the machine again
Kindy note down on paper the data below we may need it later.

Service WmiAcpi
File C:\WINDOWS\system32\DRIVERS\wmiacpi.sys"

then asked to reboot to continue and completed, new log file attached

Attached Files

  • Attached File  log.txt   11.85KB   7 downloads


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:04 PM

Posted 29 June 2010 - 06:14 AM

Great that was the rootkit that we were wanting to remove.


I would like for you to submit a file to analyze.

I will need to you show hidden files\folders so we can find the file.
To Set:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK

Now: using Windows Explorer (to get there right-click your Start button and go to "Explore")
Then navigate to this location and upload the following file.

c:\windows\system32\vcstijmw.exe

Click Here to upload the file please.
Please leave the link to this thread so we can identify where it came from.
=================================
Once you have done that please do the following.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 muddy90

muddy90
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 01 July 2010 - 04:57 AM

Hi

Sorry about the delay in responding but I have been out of the office updating pc's for mainframe access.

Anyway I have completed the tasks as requested, sent the vcstijmw.exe.

The Malwarebytes data is here

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

01/07/2010 09:25:25
mbam-log-2010-07-01 (09-25-25).txt

Scan type: Quick scan
Objects scanned: 120106
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET log as follows

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=07b5ad67ada73848bcf03606b1e7ef20
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-01 09:32:10
# local_time=2010-07-01 10:32:10 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 274 274 0 0
# scanned=46374
# found=36
# cleaned=36
# scan_time=1171
C:\Qoobox\Quarantine\C\Documents and Settings\SEAN\Application Data\5449a787.exe.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\SEAN\Application Data\7347021D73941FB7865F8DBA30271476\gotnewupdate000.exe.vir Win32/Adware.AntimalwareDoctor application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\SEAN\Application Data\Omhi\gyipi.exe.vir a variant of Win32/Kryptik.EOO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\SEAN\Application Data\Veke\dueri.exe.vir Win32/Spy.Zbot.QT.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\$NtUninstallWTF1012$\elUninstall.exe.vir Win32/Adware.Lifze.J application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\Iqutaa.exe.vir Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe.vir Win32/Adware.Lifze.J application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ernel32.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\njriu.sys.vir Win32/Bubnix.AO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\wmiacpi.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\wmiacpi.sys.vir_ Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\A1k9y1c9.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\CE7931sK.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\E55k5.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\EI793q79.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\EIQ1793.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\G7i31q.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\G9iQ7wS.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\GM1gM3gM9.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\GM31wS3.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\IQ3w7uO.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\IQ7wSK79.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\IQGM3g7i.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\KUOCEIQG.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\O55m5.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\Q7931m.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\QG3179e.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\QG5i5.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\S1e93179.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\SK3y7c3.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\SK5y5.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\SKU317.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\W5uOC.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\WSKU3m79.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\YW3179w.dll.vir a variant of Win32/Kryptik.EUQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\vcstijmw.exe Win32/Adware.Lifze.J application (deleted - quarantined) 00000000000000000000000000000000 C


Once again thanks for your assistance

Mike

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:04 PM

Posted 01 July 2010 - 06:53 AM

Good you are welcome.

Please post a new DDS.txt and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 muddy90

muddy90
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 01 July 2010 - 08:18 AM

Hi again

the new dds log is attached.

The system appears to be functioning well, thanks again for your patience.

Now to re-install anti-virus software, do you have a recommendation

Attached Files

  • Attached File  DDS.txt   9.5KB   3 downloads


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:04 PM

Posted 01 July 2010 - 01:12 PM

Sure for a free based antivirus there are these choices:
AVG,Avira,avast,Microsoft Security Essentials
I would choose any of the above.
Paid version I would choose Kaspersky or Eset.
Just my opinion though and nothing is 100% effective against malware.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MChk"=-

Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
=========
=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 muddy90

muddy90
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 02 July 2010 - 11:13 AM

Hi

Instructions followed to the letter, everything is now working well. Thanks for everything, your help was invaluable. Have a great weekend.

Mike

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:04 PM

Posted 02 July 2010 - 12:30 PM

You are welcome and you too smile.gif


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users