WiredWX Hobby Weather ToolsLog in

 


Need Help to remove Antimalware Doctor

2 posters

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25da58727e6ebb42b15da5020dff6015
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-31 09:54:08
# local_time=2010-07-31 04:54:08 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 9202855 9202855 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=122855
# found=10
# cleaned=10
# scan_time=8051
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\31\475ee9f-4f061400 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\42\3c071b2a-54b6c946 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\6\13b98886-414ec045 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\92.tmp a variant of Win32/Olmarik.UL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\jar_cache3974793204991448007.tmp a variant of Java/TrojanDownloader.Agent.NBA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\jar_cache6146789445735889649.tmp a variant of Java/Exploit.Agent.NAC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\soenxrwcma.tmp a variant of Win32/Injector.BCP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\xwcaonmres.tmp a variant of Win32/VB.PAM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\plugtmp-45\plugin-Notes2.pdf JS/Exploit.Pdfka.OAH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\My Documents\Downloads\exeHelper.com probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
Clear your Java Cache
  • Click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.





Clean Temporary Files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.





Run Kaspersky Online Scan

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note: If the scan freezes for more than 30 minutes, stop the scan, and report back to me.

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
Sorry for the long reply but here is the result of the scan
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 9, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 09, 2010 02:35:13
Records in database: 4131622
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Objects scanned 70696
Threats found 2
Infected objects found 4
Suspicious objects found 0
Scan duration 01:45:11

File name Threat Threats count
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe Infected: Trojan.Win32.Clicker.hd 1
C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul Infected: Trojan-Spy.JS.Agent.a 1
C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml Infected: Trojan.Win32.Clicker.hd 1
C:\WINDOWS\temp\tkmr.exe Infected: Trojan.Win32.Clicker.hd 1
Selected area has been scanned.

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):

    Code:

    :files
    C:\WINDOWS\temp\tkmr.exe
    C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
    C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul
    C:\Documents and Settings\All Users\Application Data\Update\seupd.exe

    :Commands
    [emptytemp]
    [purity]
    [Reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Since this infection has killed your Google search plugin in Firefox, we will need to have you download a new one after OTM is run.

Visit Google.com in Firefox, and you will see a glow in your Search Box (top right of browser), drop that down, and click on Add Google Search.

Let me know how it goes.

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
All processes killed
========== FILES ==========
Unable to create HKLM\Software\OldTimer Tools\OTM key.
File move failed. C:\WINDOWS\temp\tkmr.exe scheduled to be moved on reboot.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
File move failed. C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml scheduled to be moved on reboot.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
File move failed. C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul scheduled to be moved on reboot.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
File move failed. C:\Documents and Settings\All Users\Application Data\Update\seupd.exe scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: admin

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 107590420 bytes
Unable to create HKLM\Software\OldTimer Tools\OTM key.
->Temporary Internet Files folder emptied: 305746632 bytes
->Java cache emptied: 1009351 bytes
->FireFox cache emptied: 38818393 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1211 bytes

User: LocalService

User: NetworkService

User: nikki
->Apple Safari cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Windows Temp folder emptied: 1546341 bytes
RecycleBin emptied: 28484 bytes

Total Files Cleaned = 434.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 08102010_142544

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25da58727e6ebb42b15da5020dff6015
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-31 09:54:08
# local_time=2010-07-31 04:54:08 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 9202855 9202855 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=122855
# found=10
# cleaned=10
# scan_time=8051
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\31\475ee9f-4f061400 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\42\3c071b2a-54b6c946 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\6\13b98886-414ec045 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\92.tmp a variant of Win32/Olmarik.UL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\jar_cache3974793204991448007.tmp a variant of Java/TrojanDownloader.Agent.NBA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\jar_cache6146789445735889649.tmp a variant of Java/Exploit.Agent.NAC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\soenxrwcma.tmp a variant of Win32/Injector.BCP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\xwcaonmres.tmp a variant of Win32/VB.PAM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\plugtmp-45\plugin-Notes2.pdf JS/Exploit.Pdfka.OAH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\My Documents\Downloads\exeHelper.com probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25da58727e6ebb42b15da5020dff6015
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-11 03:58:16
# local_time=2010-08-11 10:58:16 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 10135816 10135816 0 0
# compatibility_mode=8192 67108863 100 0 846733 846733 0 0
# scanned=95988
# found=7
# cleaned=7
# scan_time=4141
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP352\A0137845.dll Win32/Adware.Lifze.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP354\A0137954.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\sxlsex80.dll a variant of Win32/Cimag.DC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\kxigp.dll Win32/Adware.Lifze.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\srenum.sys Win32/Rootkit.Agent.NTI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\temp\gilnnw.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\temp\rmukuo.exe a variant of Win32/Cimag.DC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
I'd like to see this a bit closer...

Please download RootRepeal from GooglePages.com.

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe.
  • Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  • Go to the Report tab and click on the Scan button.
    Need Help to remove Antimalware Doctor - Page 2 Nclahc
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    Need Help to remove Antimalware Doctor - Page 2 2j5lb6
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/08/11 16:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7477000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\alfexj.sys
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89c035e0 Size: 2593

Hidden Services
-------------------
Service Name: alfexj
Image Path: C:\WINDOWS\system32\drivers\alfexj.sys

==EOF==

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
I wonder what this is: C:\WINDOWS\system32\drivers\alfexj.sys

  • Please go to VirSCAN.org FREE on-line scan service
  • Browse for the following file path into the "Suspicious files to scan" box on the top of the page:
    • C:\WINDOWS\system32\drivers\alfexj.sys

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
It wont let me upload it. it says "ERROR: Can't Upload file!"

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
Your computer gets reinfected, I noticed, which is why I had you run an online scan so much.

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix Need Help to remove Antimalware Doctor - Page 2 Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Need Help to remove Antimalware Doctor - Page 2 Query_RC

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Need Help to remove Antimalware Doctor - Page 2 RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
Still with us? Please let me know how things are going!

descriptionNeed Help to remove Antimalware Doctor - Page 2 EmptyRe: Need Help to remove Antimalware Doctor

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum