Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-Malware Doctor removed, but traces remain.


  • Please log in to reply
3 replies to this topic

#1 Nick Razzie

Nick Razzie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 16 August 2010 - 02:56 PM

AMD Came in with another piece of malware, called Security Suite, they came in at the same time and installed to different directories, and it also installed the Tango Toolbar. It was your basic browser hijacker, I killed the processes, found the files and deleted them, and cleared the registry key of any infected keys. Use HJT to disable and delete any other registry keys, plus the BHO's relating to the Tango Toolbar and the redirect pages that the hijacker would load. I'm not computer stupid, so I do know what I'm doing, however I'm having a bit of trouble with this one.

First, it setup a proxy and surfed to dozens of pages in the background, my avast network monitor was going crazy, and watching all these links get visited let me know it was hijacked. My internet was slow and laggy, and to connect, I would have to disable my LAC and re-enable it, and my internet gateway would start. It completely infected Google Chrome and Java, and I had to uninstall both of those things. System Restore was turned off, so it wasn't hiding in there. I ran HJT and saw an odd registry key.

O4 - HKLM\..\Run: [Rbodanis] rundll32.exe "C:\WINDOWS\aqiyihit.dll",Startup


I figured this may be part of the virus, so I used msconfig and disabled it from Startup.

Bad move on my part, when I restarted my computer, looped BSOD, and nothing would load. Couldn't even get a Safe Mode boot. After atleast three hours of struggling with this, I used my XP CD and ran a recovery installation, I'm back in. However that DLL remains, aswell as it's place in the boot list, it's registry key, and the DLL itself. Scanned the DLL with Avast and MBAM, it doesn't find it as a threat, but given how my computer acted when it was disabled, I find that hard to believe.

Even though I've deleted the files associated with Tango Toolbar (or so I thought) I still find it in my Add/Remove Programs list. When I click "change/remove", it opens and redirects IE to the Tango Toolbar help page. And my MSCONFIG startup list still shows the .exe file and directory for Security Suite, which shouldn't be there considering I deleted the necessary registry keys it created and cleared the directories it was living in.

I know my computer isn't actively infected, atleast not to the degree that it was, but I can still tell it's on here. It loads a little choppy, and just knowing something's on here that shouldn't be is making me paranoid as hell. So, what do you folks think I should do next?

You guys are Tech-Guru's, so your word is like gospel to a nerd like me :thumbsup:

Edited by Nick Razzie, 16 August 2010 - 02:59 PM.


BC AdBot (Login to Remove)

 


#2 Nick Razzie

Nick Razzie
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 16 August 2010 - 06:41 PM

Since I'm at a loss for what to do, I haven't done anything else since I posted. I'm just waiting for someone to respond.

#3 captaintravis

captaintravis

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 16 August 2010 - 06:54 PM

i got infected with the security suite as well. im not very good with computers though so i dont exactly know what i got rid of but i get it all to stop untill you restart the computer, it just keeps coming back. i stopped a process and that let me run rkill superantispyware, avg free9.0, mbam, and ccleaner. it stops all that popups and blocking untill the computer is restarted do you know how i could get further than that?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:23 AM

Posted 16 August 2010 - 10:18 PM

Hello it appears you removed something wrong perhaps with HJT. HJT really is not a tool to use unless you have been trained with it. We hardly even use it any more here.
Now we need a deeper look to see. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users