Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(Atypical?) infection by Antimalware Doctor on Window Vista.


  • Please log in to reply
3 replies to this topic

#1 pols2

pols2

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 23 May 2011 - 12:34 AM

Hello,

few days ago (on May 19 around 12:30am) I was watching a movie online when suddenly a pop-up window opened asking me if I wanted to install Antimalware Doctor. I just clicked on the red "X" on the top right of this pop-up window to close it.
It closed down, however, after a short time I got some message telling me that the installation was successful and this program started running a (fake) scan. I immediately unplugged the power for my laptop (that had no battery) to shut it down. After the computer was off, I unplugged the cable connecting it to the internet and tried to turn it on.

It turned on fine. However on my desktop there was the yellow icon of a shortcut to this Antimalware Doctor. Apparently, no other issues....No pop-ups stating that my computer is under attack. No pop-ups claiming I have thousands of viruses on my laptop. Nothing. Just this new icon.
However, both my McAfee Antivirus and the Microsoft Security Essentials had the Realtime Protection feature turned off and it was impossible to turn it on.

I checked where was the location of this Antimalware Doctor file connected to the shortcut on my desktop and I erased it. I also ran a full scan with McAfee and Essentials, but they found nothing. I thought that maybe when I unplugged the powercord of my laptop (shutting it down) I might have interrupted some action that this malware was performing and for some reason, I thought that maybe I could resolve the issue with a System Restore. I found a restore point at 11:49pm on May 18 -- 45 minutes before this issue appeared first-- and I used it.
When it rebooted, it told me that there was some issue with some Windows files. I cannot remember the precise statement. There were two options: either try to repair the issue, or let it be. I tried several times to use the auto-repair option. Unfortunately, the computer was somehow not accepting this answer from me. So I had to click on the other option. After it turned on, a window appeared telling me that the system restore was successful.
Still, I could not turn on the Real-Time feature of McAfee and MS Essentials

Hence, I downloaded Antimalwarebytes Anti-Malware on a USB drive and installed on my computer after I rebooted it on Safe Mode.
This antimalware found
i) an infected registry file HKEY_CURRENT USER_ bla bla bla, that I quarantined and deleted;
ii) some other harmless file that I downloaded personally and is not connected to malware. However, just to be safe, I quarantined and deleted it as well.

I then rebooted by computer and made it start normally.
However, few minutes after logging in, a BSOD appeared and my computer rebooted again. The blue screen seems to complain about my ATAPORT.SYS file.


Now my situation is the following:
1) Every time I start my laptop normally, I get a BSOD restarting my computer, complaining about the ATAPORT.SYS file.
2) My McAfee and MS Essentials have the real time protection turned off and I cannot change it.
3) I can turn on and off Windows Defender Real-Time protection, however it does not help me with 2)
4) Antimalwarebytes Antimalware does not find any issue on my computer (I always run it in Safe Mode).
5) There is a MsMpEng.exe process that is always present in the process list of the Task Manager, even in Safe Mode (independently if Windows Defender is turned on/off).
When I try to kill this process, this process resurrects after few seconds. If I kill it a second time, it resurrects again after few seconds. After I kill the third time, it does not show up anymore. However, even after that I cannot turn on Real-Time Protection for my antiviruses.
6) I never got (and still do not get) any request of purchasing the Antimalware Doctor. No pop-ups of any kind from it either.

I did not try going on the web anymore.


I would really really appreciate any help that you might give me.

Thanks,

PP

BC AdBot (Login to Remove)

 


#2 Jim Ow

Jim Ow

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 23 May 2011 - 06:50 AM

Malwayrebytes won't always find all of the viruses on the machine in Safe mode, the only way to get rid of them all is going to be running the scan in Normal mode, but obviously with the issue your having with the Blue Screen then I'm not sure if this will be possible.

What I would recommend is trying to boot into Windows, as soon as it loads up load up RKill this should kill all known harmfull processes. A Notepad document will then be producted listing all of processes and their locations, go to all of these file locations and delete them, restart the PC and run a virus scan.

It might not go as smoothly as this, try to run RKill in Safe mode if the software loads up in that as well, you'll then be able to manually delete it.

Might not make a lot of sense, let me know how it goes.

#3 pols2

pols2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 24 May 2011 - 10:32 PM

Hello,

I downloaded rkill and made it run in Safe Mode, as it was impossible to make it run in Normal Mode (because of the blue screen of death).
It found only two processes. They both have the same name: comine.exe, a file in Windows\System32.
I tried to get rid of it, but of course I could not do it.
I downloaded Unlocker and tried to use it but for some reason it is not working on my computer in Safe Mode.

Could I please ask your help to eliminate this file?

Thank you very much!

PP

#4 pols2

pols2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 24 May 2011 - 11:38 PM

In an attempt to eliminate conime.exe I downloaded some softare (BFGhost1.0 Removal Tool) who found 4 items of spyware/malware/adware.

They are
1) c:\users\Paolo\appdata\local\temp\rarsfx0\procs\explorer.exe
2) c:\users\Paolo\appdata\local\temp\rarsfx0\procs\iexplore.exe
3) c:\users\Paolo\appdata\local\temp\rarsfx0\nird\iexplore.exe
4) c:\users\Paolo\appdata\local\temp\rarsfx0\h\iexplore.exe

Should I manually remove them?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users