0

Hi,
I know you are all busy and I know I've been daft but someone's help would be most appreciated.
I have suffered an attach by Anti Malware Doctor and immediately ran Malwarebytes Antimalware to get rid of it. I thought I had cleaned it up at first then strange things started to happen: multiple system crashes, Orange version of Internet Explorer not working, Windows update prevented, emails attempting to send(but being blocked by my ESET AV software ).
I've been fighting for control of my PC ever since.

The MBAM log:
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

03/09/2010 12:09:40
mbam-log-2010-09-03 (12-09-40).txt

Scan type: Quick scan
Objects scanned: 175696
Time elapsed: 15 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c81f3d4f-b2f5-45df-9a59-35fd2ecdffe2} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c81f3d4f-b2f5-45df-9a59-35fd2ecdffe2} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d25254b7-4b6b-4435-bc21-13c1b69a1b89} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d25254b7-4b6b-4435-bc21-13c1b69a1b89} (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mrsnwaecxo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediafix70700en02.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Colin\AppData\Local\Temp\mrsnwaecxo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Colin\AppData\Local\Temp\aencwmosxr.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Users\Colin\AppData\Local\Temp\st_witty820_1930.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Windows\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Windows\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Users\Colin\AppData\Roaming\85FFBFA0CE4C8B154609F9CD53054136\mediafix70700en02.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Reading the DaniWeb instructions, I have run Microsoft Malicious Software Tool and several other programs. The MMST found something in quick scan and suggested a full can. The computor crashed halfway through and each time was unsuccessful.

GMER ran for the first pass but would not run the second time with boxes unchecked as instructed. I tried several times (including in Safe Mode) and each time either it was stopped or the machine crashed.....here is the log
MER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-10 10:46:32
Windows 6.0.6002 Service Pack 2
Running: 3jbyz8yc.exe; Driver: C:\Users\Colin\AppData\Local\Temp\kwldyfow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\tdx \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 TSIKBF5.SYS (Remote Control Component/Laplink Software, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 TSIKBF5.SYS (Remote Control Component/Laplink Software, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8546EEC5

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

The last instruction was to run DDS: this immediately results in a text file full of code but I can't see how to run it if it is a program.

There you go. Can anyone help?

2
Contributors
6
Replies
7
Views
7 Years
Discussion Span
Last Post by ukhostland
0

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Hi and many thanks for your assistance.
Combofix did not appear to work for me (it says I have Avira Antivirus and Spyware running but I cant find it).
The new Microsoft Malicious Software Remover seems to have done the trick, together with running SuperAntiSpyware and Malwarebytes AntiMalware in quick succession.
Here are the new GMER scan results (I was able to run the second scan this time).
GMER One:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-15 18:41:29
Windows 6.0.6002 Service Pack 2
Running: 3jbyz8yc.exe; Driver: C:\Users\Colin\AppData\Local\Temp\kwldyfow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\tdx \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 TSIKBF5.SYS (Remote Control Component/Laplink Software, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 TSIKBF5.SYS (Remote Control Component/Laplink Software, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

GMER Two:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-15 19:56:19
Windows 6.0.6002 Service Pack 2
Running: 3jbyz8yc.exe; Driver: C:\Users\Colin\AppData\Local\Temp\kwldyfow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8D1BF0B0]

---- Files - GMER 1.0.15 ----

File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Annuals-Biennials.txt 31371 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Bulbous Plants.txt 20847 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Coniferous Trees.txt 26630 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Grasses-Bamboos.txt 9224 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Other Plants.txt 11148 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Perennials.txt 149459 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Plant List (All).txt 458295 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Shrubs.txt 110229 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Trees.txt 85882 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\Vines.txt 13505 bytes
File C:\Users\Colin\AppData\Local\VirtualStore\Program Files\VectorWorks 2008\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants\Additional Datasets\Plant Database\VW Plants 0 bytes

---- EOF - GMER 1.0.15 ----

Unless you tell me otherwise I think we've cracked it. Thanks to the Forum Read Me suggestions and to you for your help.

I'm offline for a week in 8 hours or so, so if you see something or have any further suggestions to clean up completely I will not respond during that time but deal with it on my return.

Thanks again

0

Can you post up the complete MBA-M log as the first one you posted is missing some info at the top.

What happened with Combofix?

0

MBAM log 3/9/2010:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4534

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

03/09/2010 12:09:40
mbam-log-2010-09-03 (12-09-40).txt

Scan type: Quick scan
Objects scanned: 175696
Time elapsed: 15 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c81f3d4f-b2f5-45df-9a59-35fd2ecdffe2} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c81f3d4f-b2f5-45df-9a59-35fd2ecdffe2} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d25254b7-4b6b-4435-bc21-13c1b69a1b89} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d25254b7-4b6b-4435-bc21-13c1b69a1b89} (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mrsnwaecxo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediafix70700en02.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Colin\AppData\Local\Temp\mrsnwaecxo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Colin\AppData\Local\Temp\aencwmosxr.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Users\Colin\AppData\Local\Temp\st_witty820_1930.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Windows\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Windows\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Users\Colin\AppData\Roaming\85FFBFA0CE4C8B154609F9CD53054136\mediafix70700en02.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

On 4/9/2010 I ran MBA-M three times. First time it was clean, this is the middle one:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4541

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

04/09/2010 14:58:45
mbam-log-2010-09-04 (14-58-45).txt

Scan type: Quick scan
Objects scanned: 175776
Time elapsed: 10 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Combofix was curious. I closed every spyware, antivirus and firewall I could find and started the program. It told me I had Avira Antispy and virus software running. I searched everywhere for the program but could not find it although Windows Defender thought the same thing. In the end I gave up hunting and ran the program anyway. It seemed to be running, setting a recovery point, so I left it to it. Several hours later it was still trying to set a recovery point so I closed it and started re-trying some of the programs I had downloaded on the advice of your Read Me First posting. I wonder if there is an old reference to Avira on my regestry somewhere, which Combofix thought was a running program?

0

It would have picked up an entry in the registry for sure.

Could you please try running it in safe mode when you get the chance.

0

I've tried so many things in the last week or too, but I dont think I've done that.
I'll give it a go before I disappear.
Thanks again

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.