Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

an annoying little piece of malware


  • Please log in to reply
9 replies to this topic

#1 JeroenV

JeroenV

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 31 August 2010 - 03:43 PM

I got a piece of antimalware doctor that doesn't want to get removed.

it's there in my appdata/roaming/weirdfilename

everytime i shift del it and restart my pc it's there again...

how can i get rid of that for good? i've scanned 3 times today yet that one doesn't want to dissapear

(scanned with malwarebytes & norton internet security)

i can easily ctrl alt del this and get rid of this but doing this every time is troublesome... getting rid of it forever would be helpfull

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:53 PM

Posted 31 August 2010 - 08:06 PM

Can you post those scan logs from mbam and norton?

#3 JeroenV

JeroenV
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 01 September 2010 - 06:38 AM

it's gone now though... i checked it in appData/roaming and the file isn't there now anymore. yesterday it came back everytime i restarted the pc

i didn't do anything else then just log off & restart my pc now...

anyway here is the scan logs of mbam:

last run:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databaseversie: 4435

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

31/08/2010 22:19:07
mbam-log-2010-08-31 (22-19-07).txt

Scantype: Snelle scan
Objecten gescand: 135121
Verstreken tijd: 11 minuut/minuten, 6 seconde(n)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 6
Registerwaarden ge´nfecteerd: 0
Registerdata ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 5

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels ge´nfecteerd:
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\FLV Direct Player (Adware.FLVPlayer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden ge´nfecteerd:
C:\Users\Jeroen\AppData\Roaming\data.dat (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Windows\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Jeroen\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.


first run
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databaseversie: 4435

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

31/08/2010 18:25:01
mbam-log-2010-08-31 (18-25-01).txt

Scantype: Volledige scan (C:\|D:\|F:\|G:\|)
Objecten gescand: 412347
Verstreken tijd: 2 uur/uren, 56 minuut/minuten, 13 seconde(n)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 1
Registersleutels ge´nfecteerd: 2
Registerwaarden ge´nfecteerd: 4
Registerdata ge´nfecteerd: 0
Mappen ge´nfecteerd: 1
Bestanden ge´nfecteerd: 21

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen ge´nfecteerd:
C:\Users\Jeroen\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Registersleutels ge´nfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registerwaarden ge´nfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-12sf-n85p (Worm.Autorun.:thumbsup: -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsekeoij (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avhvvngt (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registerdata ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen ge´nfecteerd:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.

Bestanden ge´nfecteerd:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Worm.Autorun.:flowers: -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2EBI860T\loaderadv600[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZRB2RJO\mediafix70700en02[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZRB2RJO\mediafix70700en02[2].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZRB2RJO\mediafix70700en02[3].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZRB2RJO\rp020832[1].exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Temp\3383945.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Temp\4109823.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Temp\aswenmocxr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Temp\scronweamx.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Temp\591.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Temp\6728.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Roaming\AAD0F0F7A6633FDDB2BC9530C4F207E0\mediafix70700en02.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Roaming\ohydy.exe (Worm.Palevo) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Users\Jeroen\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\bpaiujwuc\ielnyjishdw.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
C:\Users\Jeroen\AppData\Local\vppiuswed\ivnyppnshdw.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:53 PM

Posted 01 September 2010 - 08:28 AM

Can you now run the following:

http://housecall.trendmicro.com/

And post back if it finds anything?

#5 JeroenV

JeroenV
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 01 September 2010 - 09:20 AM

Can you now run the following:

http://housecall.trendmicro.com/

And post back if it finds anything?


it found:

eqhff.exe troj fakelrt.smt
llipk.exe troj gen.r2fe1hr
mkcxhunr.exe troj faklrt.smt


also suddenly i'm seeing all hidden maps/files... :/ is there somehow i can set those back to hidden... i forgot how i do that :/

Edited by JeroenV, 01 September 2010 - 09:25 AM.


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:53 PM

Posted 01 September 2010 - 09:28 AM

How to show Hidden Files? just do the opposite there.

I would also suggest upgrading to SP2.

Windows Vista SP2

#7 JeroenV

JeroenV
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 01 September 2010 - 10:42 AM

How to show Hidden Files? just do the opposite there.

I would also suggest upgrading to SP2.

Windows Vista SP2



what will the benifit for me if i install it?

like more speed/safer pc, ... ?

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:53 PM

Posted 01 September 2010 - 10:43 AM

How to show Hidden Files? just do the opposite there.

I would also suggest upgrading to SP2.

Windows Vista SP2



what will the benifit for me if i install it?

like more speed/safer pc, ... ?


New additions, more stable PC, and not to mention greater security.

#9 JeroenV

JeroenV
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 01 September 2010 - 10:58 AM

New additions, more stable PC, and not to mention greater security.



hmm... how long will it take/will i need to install drivers again?

and is sp2 64 bit?

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:53 PM

Posted 01 September 2010 - 03:53 PM

Windows Vista SP2 64bit

Make sure drivers are updated before you install.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users