Jump to content

antimalware doctor


Recommended Posts

ran malwarebytes

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4356

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

26/07/2010 23:49:41

mbam-log-2010-07-26 (23-49-41).txt

Scan type: Full scan (C:\|)

Objects scanned: 245519

Time elapsed: 33 minute(s), 11 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 19

Memory Processes Infected:

C:\Users\iut044\AppData\Roaming\6C636E26DFBB038B858A0E6E4AFDD6A0\releaseversion70700.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

C:\Users\iut044\AppData\Roaming\SystemProc\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

C:\Users\iut044\AppData\Local\wmatetac.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\releaseversion70700.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxuvey (Trojan.Hiloti) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hbhvuuid (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\growedidayiyukej (Trojan.Agent.U) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Users\iut044\AppData\Roaming\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\Users\iut044\AppData\Roaming\6C636E26DFBB038B858A0E6E4AFDD6A0\releaseversion70700.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\wmatetac.dll (Trojan.Hiloti) -> Delete on reboot.

C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUN0ZKK4\aaidkfmhfa[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EXHHVM0L\sjnvpnidk[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCD32U9C\jaucnvc[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8J3RYI0\cgxvqksq[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8J3RYI0\imhbjepxrz[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8J3RYI0\releaseversion70700[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Temp\674c5ea6.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Temp\creg.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Temp\pmqtt.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\Temp\ukdoi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Roaming\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Roaming\SystemProc\upd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\iut044\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.

C:\Users\iut044\AppData\Local\edosucefuheli.dll (Trojan.Agent.U) -> Delete on reboot.

I got 2 dll errors

here is hijack after the scan

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 00:16:25, on 27/07/2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

c:\PROGRA~2\mcafee.com\agent\mcagent.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe

C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/USCON/2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~2\mcafee\msk\mskapbho.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [spark] C:\Program Files (x86)\Spark\Spark.exe

O4 - HKCU\..\Run: [Google Update] "C:\Users\iut044\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')

O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8

Link to post
Share on other sites

  • 2 weeks later...
  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.