Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor - Infected, Please Help Remove


  • This topic is locked This topic is locked
7 replies to this topic

#1 bas061

bas061

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota, USA
  • Local time:03:33 PM

Posted 26 March 2011 - 07:00 PM

I somehow contracted the "Antimal Doctor" malware today, and need to get rid of it asap. I went through the preparation guide, and the DDS.txt file is copied below, the Attach.txt file is attached, and for one reason or another the gmer.exe application produced no results, or was unalbe to run on this computer due to access being denied (this is a work computer, and i think that may have something to do with it).

I appreciate all the help. If there is anything else you need from me let me know. Thanks.
___________________________________________________________

DDS.txt file:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by marcbasara at 18:27:34.81 on Sat 03/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.648 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shoreline Communications\ShoreWare Client\PCM.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Documents and Settings\marcbasara\Application Data\6BED49FDF6D1C5FD9F071B2F9BF70131\asp70vdviss.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Shoreline Communications\ShoreWare Client\CSISCMGR.exe
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\marcbasara\Local Settings\Temporary Internet Files\Content.IE5\Q43MSKYC\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://weisweb
uDefault_Page_URL = hxxp://weisweb
uInternet Connection Wizard,ShellNext = ftp://ftp.weisbuilders.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ShoreTel Personal Call Manager] c:\program files\shoreline communications\shoreware client\PCM.exe
uRun: [Google Update] "c:\documents and settings\marcbasara\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [asp70vdviss.exe] c:\documents and settings\marcbasara\application data\6bed49fdf6d1c5fd9f071b2f9bf70131\asp70vdviss.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BbPrintMonitor] c:\program files\common files\bluebeam software\brewery\v45\printer support\BBPrint.exe
mRun: [BbInstallUser] c:\program files\bluebeam software\pushbutton pdf\Bluebeam Admin User.exe
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoThemesTab = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-system: SetVisualStyle =
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://selby/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://selby/officescan/console/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://selby/officescan/console/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://selby/officescan/console/html/AtxEnc.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://selby/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-2-28 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-11 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-11 108392]
R2 MSSQL$SAGECRE;SQL Server (SAGECRE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\common files\sage\ls1\servicehost\1.0\Sage.LS1.ServiceHost.exe [2009-2-19 107816]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-5-11 2477304]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-5-11 23888]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-24 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-28 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-6-10 35968]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110326.002\NAVENG.SYS [2011-3-26 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110326.002\NAVEX15.SYS [2011-3-26 1360760]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-10 280344]
S4 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
.
=============== Created Last 30 ================
.
2011-03-26 22:42:21 -------- d-----w- c:\docume~1\marcba~1\applic~1\6BED49FDF6D1C5FD9F071B2F9BF70131
2011-03-15 00:37:48 -------- d-----w- c:\docume~1\marcba~1\locals~1\applic~1\Temp
2011-03-15 00:37:29 -------- d-----w- c:\docume~1\marcba~1\locals~1\applic~1\Deployment
.
==================== Find3M ====================
.
2011-03-25 20:59:04 104 ----a-w- c:\docume~1\marcba~1\applic~1\redline2stapler.tmp
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 18:28:36.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 27 March 2011 - 02:47 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bas061

bas061
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota, USA
  • Local time:03:33 PM

Posted 27 March 2011 - 11:31 AM

Below is the log of the Malwarebytes quick scan. Complete scan log to follow.

____________________________________________________

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6183

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2011 10:36:12 AM
mbam-log-2011-03-27 (10-36-12).txt

Scan type: Quick scan
Objects scanned: 139454
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
c:\documents and settings\marcbasara\application data\6bed49fdf6d1c5fd9f071b2f9bf70131\asp70vdviss.exe (Trojan.FakeAlert.Gen) -> 2992 -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asp70vdviss.exe (Trojan.FakeAlert.Gen) -> Value: asp70vdviss.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upd_debug.exe (Trojan.FakeAlert) -> Value: upd_debug.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\marcbasara\application data\6bed49fdf6d1c5fd9f071b2f9bf70131\asp70vdviss.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\marcbasara\local settings\Temp\19.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\marcbasara\local settings\Temp\1D.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\marcbasara\local settings\Temp\20.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\marcbasara\local settings\Temp\err.log20776890 (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\marcbasara\application data\6bed49fdf6d1c5fd9f071b2f9bf70131\upd_debug.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 bas061

bas061
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota, USA
  • Local time:03:33 PM

Posted 27 March 2011 - 11:33 AM

Below is the log from the full scan. At first glance the obvious symptoms of the malware seem to be gone, but if there is anything else you need me to do let me know. Thanks again for your help.
_____________________________________________________________

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6183

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2011 11:26:17 AM
mbam-log-2011-03-27 (11-26-17).txt

Scan type: Full scan (C:\|)
Objects scanned: 201073
Time elapsed: 38 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 27 March 2011 - 11:47 AM

Hi,

Please navigate to and delete the following folder:

C:\Documents and Settings\marcbasara\Application Data\6BED49FDF6D1C5FD9F071B2F9BF70131


BTw, don't worry if this entry returns in malwarebytes:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Delete on reboot.

Because it looks like it has been created with other policies you are probably aware of (if I look at the kind of programs you have installed here).



Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 bas061

bas061
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota, USA
  • Local time:03:33 PM

Posted 28 March 2011 - 08:14 AM

MKD -

Everything seems to be back to normal. Thanks for your help!

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 28 March 2011 - 09:16 AM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 14 April 2011 - 03:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users