Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antimalware doctor!


  • This topic is locked This topic is locked
6 replies to this topic

#1 Imaloser

Imaloser

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 16 October 2010 - 01:38 AM

I scanned my computer two times with MBAM to get rid of antimalware doctor, but every time I reboot I still get a popup saying "Your computer is infected" and then the virus scans my computer.

Here is the first log ran under safe mode:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4773

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

10/15/2010 8:43:40 PM
mbam-log-2010-10-15 (20-43-40).txt

Scan type: Quick scan
Objects scanned: 152058
Time elapsed: 20 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\Documents and Settings\diana nong\Application Data\hotfix.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\diana nong\Local Settings\Temp\xbkk.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\diana nong\Local Settings\Temp\xfmnh.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\diana nong\Application Data\hotfix.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\diana nong\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\diana nong\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\diana nong\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\diana nong\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\diana nong\.COMMgr\complmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.


Here is the second log under normal reboot:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4773

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/15/2010 10:22:58 PM
mbam-log-2010-10-15 (22-22-58).txt

Scan type: Quick scan
Objects scanned: 153608
Time elapsed: 14 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 AM

Posted 16 October 2010 - 07:22 AM

Please download and scan with SUPERAntiSpyware Free
-- If you already use SUPERAntispyware, make sure you are using the most current version as it is frequently updated.
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Follow these instructions: How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
-- If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner (listed under Popular Links) instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.Link 1
Link 2
Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool.
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • A window will open with a tab that says Autoscan and Manual disinfection.
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, name the report AVPT.txt and select Save to file.
  • Copy and paste the report results in your next reply. Do not include the longer list marked Events.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.
-- If you cannot run this tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 16 October 2010 - 11:04 PM

Thanks for the help, quietman! After running both programs the popups have disappeared, but I am left with this every time I boot:
Posted Image

It still pop ups when I hit delete/ignore.

Anyways here are the logs...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/16/2010 at 06:04 PM

Application Version : 4.44.1000

Core Rules Database Version : 5697
Trace Rules Database Version: 3509

Scan type : Complete Scan
Total Scan Time : 01:31:29

Memory items scanned : 598
Memory threats detected : 0
Registry items scanned : 8545
Registry threats detected : 2
File items scanned : 32316
File threats detected : 27

Adware.Tracking Cookie
C:\Documents and Settings\diana nong\Cookies\diana_nong@atwola[1].txt
C:\Documents and Settings\diana nong\Cookies\diana_nong@at.atwola[1].txt
C:\Documents and Settings\diana nong\Cookies\diana_nong@cdn.at.atwola[1].txt
C:\Documents and Settings\diana nong\Cookies\diana_nong@ar.atwola[2].txt
C:\Documents and Settings\diana nong\Cookies\diana_nong@tacoda[2].txt
ia.media-imdb.com [ C:\Documents and Settings\diana nong\Application Data\Macromedia\Flash Player\#SharedObjects\CT6XQ9AM ]
media.mtvnservices.com [ C:\Documents and Settings\diana nong\Application Data\Macromedia\Flash Player\#SharedObjects\CT6XQ9AM ]
media1.break.com [ C:\Documents and Settings\diana nong\Application Data\Macromedia\Flash Player\#SharedObjects\CT6XQ9AM ]
.liveperson.net [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
r2.unicornmedia.com [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
www.warezhaven.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
www.warezhaven.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.warezhaven.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.warezhaven.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.stats.paste2.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.stats.paste2.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.stats.paste2.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.linksynergy.com [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.linksynergy.com [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.linksynergy.com [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]
.stats.paste2.org [ C:\Documents and Settings\diana nong\Application Data\Mozilla\Firefox\Profiles\rql175jy.default\cookies.sqlite ]

Rogue.AntiMalwareDoctor
HKU\S-1-5-21-1849589808-2665898652-142762775-1006\Software\Antimalware Doctor Inc
HKU\S-1-5-21-1849589808-2665898652-142762775-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
C:\Documents and Settings\diana nong\Application Data\01A49EE9480DDCACA97F0D2703F0626C

Trojan.Agent/Gen-FakeAV
C:\DOCUMENTS AND SETTINGS\DIANA NONG\LOCAL SETTINGS\TEMP\RFNUNEBL.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000001.EXE



Kaspersky:
Autoscan: completed 1 minute ago (events: 78, objects: 335556, time: 02:19:13)
10/16/2010 6:22:49 PM Task started
10/16/2010 6:26:30 PM Detected: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\579E20C0.dll/CryptFF
10/16/2010 6:26:30 PM Detected: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/MagicApplet.class
10/16/2010 6:26:30 PM Untreated: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\579E20C0.dll/CryptFF Postponed
10/16/2010 6:26:31 PM Detected: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BDD0F8A.dll/CryptFF
10/16/2010 6:26:31 PM Untreated: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/MagicApplet.class Postponed
10/16/2010 6:26:32 PM Untreated: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BDD0F8A.dll/CryptFF Postponed
10/16/2010 6:26:32 PM Detected: Trojan.Java.ClassLoader.au C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/OwnClassLoader.class
10/16/2010 6:26:33 PM Detected: Trojan-Spy.Win32.VBStat.h C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A1B1C03.dll/CryptFF
10/16/2010 6:26:33 PM Detected: not-a-virus:AdWare.Win32.Virtumonde.fl C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57ED1069.dll/CryptFF/Virtumonde/UPX
10/16/2010 6:26:33 PM Detected: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/Installer.class
10/16/2010 6:26:33 PM Untreated: Trojan-Spy.Win32.VBStat.h C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A1B1C03.dll/CryptFF Postponed
10/16/2010 6:26:33 PM Untreated: not-a-virus:AdWare.Win32.Virtumonde.fl C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57ED1069.dll/CryptFF/Virtumonde/UPX Postponed
10/16/2010 6:31:27 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\diana nong\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-3882ef15/vmain.class
10/16/2010 6:31:27 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\diana nong\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-3882ef15/vmain.class Postponed
10/16/2010 6:38:33 PM Detected: Trojan.Win32.Scar.cwnm C:\Documents and Settings\diana nong\Local Settings\Temp\womexsncar.tmp
10/16/2010 6:38:34 PM Untreated: Trojan.Win32.Scar.cwnm C:\Documents and Settings\diana nong\Local Settings\Temp\womexsncar.tmp Postponed
10/16/2010 6:38:45 PM Detected: Trojan.Win32.FakeAv.lzc C:\Documents and Settings\diana nong\Local Settings\Temporary Internet Files\Content.IE5\4MHFSF9I\lpkezhfmu[3].htm
10/16/2010 6:38:45 PM Untreated: Trojan.Win32.FakeAv.lzc C:\Documents and Settings\diana nong\Local Settings\Temporary Internet Files\Content.IE5\4MHFSF9I\lpkezhfmu[3].htm Postponed
10/16/2010 6:43:32 PM Detected: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe
10/16/2010 6:43:32 PM Untreated: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe Postponed
10/16/2010 7:18:50 PM Detected: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
10/16/2010 7:18:50 PM Untreated: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml Postponed
10/16/2010 7:26:26 PM Detected: Trojan.Win32.Scar.cwnm C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000007.exe
10/16/2010 7:26:26 PM Untreated: Trojan.Win32.Scar.cwnm C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000007.exe Postponed
10/16/2010 7:51:23 PM Detected: HEUR:Trojan.Win32.Generic C:\WINDOWS\system32\drivers\biihnvme.sys
10/16/2010 7:51:23 PM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\system32\drivers\biihnvme.sys Postponed
10/16/2010 7:55:27 PM Detected: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe
10/16/2010 7:55:27 PM Untreated: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe Postponed
10/16/2010 8:00:50 PM Detected: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\579E20C0.dll/CryptFF
10/16/2010 8:00:50 PM Detected: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/MagicApplet.class
10/16/2010 8:00:50 PM Untreated: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\579E20C0.dll/CryptFF Postponed
10/16/2010 8:00:50 PM Detected: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BDD0F8A.dll/CryptFF
10/16/2010 8:00:50 PM Untreated: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/MagicApplet.class Postponed
10/16/2010 8:00:50 PM Untreated: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BDD0F8A.dll/CryptFF Postponed
10/16/2010 8:00:50 PM Detected: Trojan.Java.ClassLoader.au C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/OwnClassLoader.class
10/16/2010 8:00:50 PM Detected: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/Installer.class
10/16/2010 8:00:51 PM Detected: Trojan-Spy.Win32.VBStat.h C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A1B1C03.dll/CryptFF
10/16/2010 8:00:51 PM Untreated: Trojan-Spy.Win32.VBStat.h C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A1B1C03.dll/CryptFF Postponed
10/16/2010 8:00:51 PM Detected: not-a-virus:AdWare.Win32.Virtumonde.fl C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57ED1069.dll/CryptFF/Virtumonde/UPX
10/16/2010 8:00:51 PM Untreated: not-a-virus:AdWare.Win32.Virtumonde.fl C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57ED1069.dll/CryptFF/Virtumonde/UPX Postponed
10/16/2010 8:03:06 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\diana nong\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-3882ef15/vmain.class
10/16/2010 8:03:06 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\diana nong\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-3882ef15/vmain.class Postponed
10/16/2010 8:06:43 PM Detected: Trojan.Win32.Scar.cwnm C:\Documents and Settings\diana nong\Local Settings\Temp\womexsncar.tmp
10/16/2010 8:06:43 PM Untreated: Trojan.Win32.Scar.cwnm C:\Documents and Settings\diana nong\Local Settings\Temp\womexsncar.tmp Postponed
10/16/2010 8:06:48 PM Detected: Trojan.Win32.FakeAv.lzc C:\Documents and Settings\diana nong\Local Settings\Temporary Internet Files\Content.IE5\4MHFSF9I\lpkezhfmu[3].htm
10/16/2010 8:06:48 PM Untreated: Trojan.Win32.FakeAv.lzc C:\Documents and Settings\diana nong\Local Settings\Temporary Internet Files\Content.IE5\4MHFSF9I\lpkezhfmu[3].htm Postponed
10/16/2010 8:07:01 PM Detected: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe
10/16/2010 8:07:01 PM Untreated: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe Postponed
10/16/2010 8:23:11 PM Detected: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
10/16/2010 8:23:11 PM Untreated: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml Postponed
10/16/2010 8:27:54 PM Detected: Trojan.Win32.Scar.cwnm C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000007.exe
10/16/2010 8:27:54 PM Untreated: Trojan.Win32.Scar.cwnm C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000007.exe Postponed
10/16/2010 8:40:08 PM Detected: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BDD0F8A.dll/CryptFF
10/16/2010 8:40:22 PM Deleted: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BDD0F8A.dll
10/16/2010 8:40:23 PM Detected: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/MagicApplet.class
10/16/2010 8:41:06 PM Detected: Trojan.Java.ClassLoader.au C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/OwnClassLoader.class
10/16/2010 8:41:06 PM Detected: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip/CryptFF/Installer.class
10/16/2010 8:41:06 PM Deleted: Trojan-Downloader.Java.OpenConnection.ao C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\568C7CCA.zip
10/16/2010 8:41:06 PM Detected: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\579E20C0.dll/CryptFF
10/16/2010 8:41:11 PM Deleted: Trojan.Win32.BHO.g C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\579E20C0.dll
10/16/2010 8:41:12 PM Detected: not-a-virus:AdWare.Win32.Virtumonde.fl C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57ED1069.dll/CryptFF/Virtumonde/UPX
10/16/2010 8:41:25 PM Deleted: not-a-virus:AdWare.Win32.Virtumonde.fl C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57ED1069.dll
10/16/2010 8:41:25 PM Detected: Trojan-Spy.Win32.VBStat.h C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A1B1C03.dll/CryptFF
10/16/2010 8:41:30 PM Deleted: Trojan-Spy.Win32.VBStat.h C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A1B1C03.dll
10/16/2010 8:41:31 PM Detected: Trojan.Win32.Scar.cwnm C:\Documents and Settings\diana nong\Local Settings\Temp\womexsncar.tmp
10/16/2010 8:41:37 PM Deleted: Trojan.Win32.Scar.cwnm C:\Documents and Settings\diana nong\Local Settings\Temp\womexsncar.tmp
10/16/2010 8:41:37 PM Detected: Trojan.Win32.FakeAv.lzc C:\Documents and Settings\diana nong\Local Settings\Temporary Internet Files\Content.IE5\4MHFSF9I\lpkezhfmu[3].htm
10/16/2010 8:41:43 PM Deleted: Trojan.Win32.FakeAv.lzc C:\Documents and Settings\diana nong\Local Settings\Temporary Internet Files\Content.IE5\4MHFSF9I\lpkezhfmu[3].htm
10/16/2010 8:41:43 PM Detected: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe
10/16/2010 8:41:50 PM Deleted: not-a-virus:AdWare.Win32.CommonName.aw C:\Documents and Settings\diana nong\My Documents\AIM Logs\crumbum48\Its Ms Cabags\2005-09-22 [Thursday]\CloneDVD v2.0.9.4.exe
10/16/2010 8:41:50 PM Detected: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
10/16/2010 8:41:56 PM Deleted: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
10/16/2010 8:41:56 PM Detected: Trojan.Win32.Scar.cwnm C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000007.exe
10/16/2010 8:42:02 PM Deleted: Trojan.Win32.Scar.cwnm C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000007.exe
10/16/2010 8:42:02 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\diana nong\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-3882ef15/vmain.class
10/16/2010 8:42:02 PM Deleted: Exploit.Java.Agent.du C:\Documents and Settings\diana nong\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-3882ef15/vmain.class
10/16/2010 8:42:04 PM Task completed

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 AM

Posted 17 October 2010 - 07:43 AM

Did you allow the file to be submited to avast virus lab for analysis? avast requested the submission because the file was detected with heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. Thus, in some cases such a detection could be a "false positive" so a sample of the file is required by the lab for further analysis. If you have not submitted this file, please do so.


Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders (temp, IE temp, Java, FF, Opera, Chrome, Safari) for all user accounts including:
    • Administrator.
    • All Users.
    • LocalService.
    • NetworkService.
    • and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 17 October 2010 - 10:32 PM

Here are the results of the eset scan:
C:\WINDOWS\ivuwejat.dll a variant of Win32/Cimag.DP trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\oyutetr.dll a variant of Win32/Kryptik.HJD trojan cleaned by deleting (after the next restart) - quarantined


Now whenever I click on the search results via google I get redirected to random sites. Sometimes a pop up ad opens a new tab by itself when I havent clicked on anything. :thumbsup:

I am also getting the blue screen of death:
Posted Image

"A problem has been detected and windows has been shut down to prevent damage to your computer.

DRIVER_IRQL_NOT_LESS_OR_EQAUL

If this is the first time youve seen this stop error screen, restart your computer. If this screen

appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation,

ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory

options such as caching or shadowing. If you need to use safe mode to remove or disable components,

restart your computer. press f8 to select advanced startup options, and then select safe mode.

Technical information:

**** STOP: 0x00000001 (0xcF7C8000, 0x00000002, 0x00000000, 0x7590CCB)

**** biihnvme.sys - Address F7590CCB base at F758C000, DataStamp 4cb91359

Beginning dump of physical memory
Physical memory dump complete
Contact your system administartor or techinical support group for further assistance.
"

I am running on a dell inspiron 700m

Edited by Imaloser, 17 October 2010 - 11:57 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 AM

Posted 18 October 2010 - 06:21 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is an undetected hidden piece of malware (rootkit) which protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Infections will vary and some will cause more harm to your system then others as backdoor Trojans not only compromise your system, they have the ability to download more malicious files. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:37 AM

Posted 18 October 2010 - 10:57 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic354611.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users