Results 1 to 6 of 6

Thread: Data Doctor 2010 virus/trojan/malware serious problem

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    3

    Default Data Doctor 2010 virus/trojan/malware serious problem

    Hello,

    I have a pretty nasty trojan/virus/malware problem. I think this is a relatively new piece of malware, being that I cant find much data on it.


    I'm getting 2 alternating fake windows protection notices in the system tray with a red x inside a shield. They are as follows:

    1. Windows detected that some of your documents & media files are corrupted. Cleick here to download & install recommended file repair software.

    2. Some registry keys are invalid, system can run with errors & poor performance.

    Firefox and internet explorer wont run although I can get on firefox through a link on the hijack this Main Menu page that says

    "Open online Hijack this Quick Start"

    Malwarebytes gets stuck on an endless scan of mbam.exe . Cant open Outlook. I tried scanning with kapersky, eset, these found nothing. Did a scan with

    A-squared Free

    found this:

    C:\Documents and Settings\Owner.GATEWAY\Local Settings\Temp\ddsetup.exe detected: Riskware.FraudTool.Win32.Agent!IK
    C:\Documents and Settings\Owner.GATEWAY\Local Settings\Temporary Internet Files\Content.IE5\3PNCG2SF\dd.2010.setup[1].exe detected: Riskware.FraudTool.Win32.Agent!IK



    Attached is the DDS log. Thanks in advance for your help.



    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Owner at 22:43:34.31 on Thu 01/07/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1140 [GMT -5:00]

    AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
    C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
    C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
    C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
    svchost.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxduserv.exe
    C:\WINDOWS\system32\lxducoms.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Documents and Settings\Owner.GATEWAY\Desktop\Virus\dds.scr

    ============== Pseudo HJT Report ===============

    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.gotomypc.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
    mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
    mRun: [EzPrint] "c:\program files\lexmark 5600-6600 series\ezprint.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\harmon~1.lnk - c:\program files\logitech\harmony remote\EasyZapperMonitor.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: LMIinit - LMIinit.dll
    AppInit_DLLs: c:\windows\system32\tandl.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner~1.gat\applic~1\mozilla\firefox\profiles\8io3g23c.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://health.msn.com/
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npxsciter.dll
    FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2007-5-18 10368]
    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
    R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-8-12 1858144]
    R2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2007-5-18 182272]
    R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-4-9 731840]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-29 47640]
    R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
    R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-11-10 98984]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
    S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-1-30 9728]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    =============== Created Last 30 ================

    2010-01-07 15:45:34 0 d-sha-w- c:\windows\Repair
    2010-01-05 16:48:41 696832 ----a-w- c:\windows\isRS-000.tmp
    2010-01-05 03:31:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-05 03:31:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-05 03:31:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-04 03:20:57 0 d-----w- C:\Temp
    2010-01-04 03:02:29 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
    2010-01-04 03:02:25 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
    2010-01-04 03:02:20 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
    2010-01-04 03:02:15 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
    2010-01-04 03:02:10 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
    2010-01-04 03:00:55 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
    2010-01-04 02:59:56 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
    2010-01-04 02:59:55 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
    2010-01-04 02:59:54 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
    2010-01-04 02:59:49 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
    2010-01-04 02:59:44 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
    2010-01-04 02:59:39 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
    2010-01-04 02:59:36 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
    2010-01-04 02:59:29 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
    2010-01-04 02:59:23 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
    2010-01-04 02:59:18 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
    2010-01-04 02:59:13 7556 -c--a-w- c:\windows\system32\dllcache\usroslba.sys
    2010-01-04 02:59:08 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
    2010-01-04 02:59:03 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys
    2010-01-04 02:57:57 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
    2010-01-04 02:56:59 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
    2010-01-04 02:55:57 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
    2010-01-04 02:54:55 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
    2010-01-04 02:53:59 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
    2010-01-04 02:52:59 73832 -c--a-w- c:\windows\system32\dllcache\slcoinst.dll
    2010-01-04 02:51:57 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
    2010-01-04 02:50:57 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
    2010-01-04 02:49:57 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll
    2010-01-04 02:48:57 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
    2010-01-04 02:47:59 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
    2010-01-04 02:46:56 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
    2010-01-04 02:45:55 54528 -c--a-w- c:\windows\system32\dllcache\OLDBA8.tmp
    2010-01-04 02:44:58 126080 -c--a-w- c:\windows\system32\dllcache\OLDB6F.tmp
    2010-01-04 02:43:58 128000 -c--a-w- c:\windows\system32\dllcache\OLDB1E.tmp
    2010-01-04 02:42:55 2944 -c--a-w- c:\windows\system32\dllcache\OLDADC.tmp
    2010-01-04 02:42:50 40960 -c--a-w- c:\windows\system32\dllcache\OLDAD8.tmp
    2010-01-04 02:42:49 22016 -c--a-w- c:\windows\system32\dllcache\OLDAD5.tmp
    2010-01-04 02:42:47 98304 -c--a-w- c:\windows\system32\dllcache\OLDACE.tmp
    2010-01-04 02:42:47 1875968 -c--a-w- c:\windows\system32\dllcache\OLDAD1.tmp
    2010-01-04 02:42:39 35200 -c--a-w- c:\windows\system32\dllcache\OLDACB.tmp
    2010-01-04 02:42:34 6016 -c--a-w- c:\windows\system32\dllcache\OLDAC7.tmp
    2010-01-04 02:42:19 15360 -c--a-w- c:\windows\system32\dllcache\OLDAC3.tmp
    2010-01-04 02:42:15 16128 -c--a-w- c:\windows\system32\dllcache\OLDABF.tmp
    2010-01-04 02:42:06 6528 -c--a-w- c:\windows\system32\dllcache\OLDA98.tmp
    2010-01-04 02:42:01 7680 -c--a-w- c:\windows\system32\dllcache\OLDA94.tmp
    2010-01-04 02:40:59 802683 -c--a-w- c:\windows\system32\dllcache\OLDA43.tmp
    2010-01-04 02:39:59 242176 -c--a-w- c:\windows\system32\dllcache\OLD9EF.tmp
    2010-01-04 02:38:59 152576 -c--a-w- c:\windows\system32\dllcache\OLD944.tmp
    2010-01-04 02:37:58 79872 -c--a-w- c:\windows\system32\dllcache\OLD8CC.tmp
    2010-01-04 02:36:56 353184 -c--a-w- c:\windows\system32\dllcache\OLD873.tmp
    2010-01-04 02:35:58 289887 -c--a-w- c:\windows\system32\dllcache\OLD825.tmp
    2010-01-04 02:34:58 39936 -c--a-w- c:\windows\system32\dllcache\OLD7D9.tmp
    2010-01-04 02:33:59 72192 -c--a-w- c:\windows\system32\dllcache\OLD75A.tmp
    2010-01-04 02:32:59 92160 -c--a-w- c:\windows\system32\dllcache\OLD6D4.tmp
    2010-01-04 02:31:59 144896 -c--a-w- c:\windows\system32\dllcache\OLD673.tmp
    2010-01-04 02:30:57 28062 -c--a-w- c:\windows\system32\dllcache\OLD606.tmp
    2010-01-04 02:29:58 131156 -c--a-w- c:\windows\system32\dllcache\OLD59A.tmp
    2010-01-04 02:28:58 72832 -c--a-w- c:\windows\system32\dllcache\OLD51C.tmp
    2010-01-04 02:27:59 1677824 -c--a-w- c:\windows\system32\dllcache\OLD499.tmp
    2010-01-04 02:26:59 66082 -c--a-w- c:\windows\system32\dllcache\OLD3AB.tmp
    2010-01-04 02:25:59 144384 -c--a-w- c:\windows\system32\dllcache\OLD2D4.tmp
    2010-01-04 02:24:58 29455 -c--a-w- c:\windows\system32\dllcache\OLD21D.tmp
    2010-01-04 02:23:59 584448 -c--a-w- c:\windows\system32\dllcache\OLD177.tmp
    2010-01-04 02:22:55 76800 -c--a-w- c:\windows\system32\dllcache\OLD10B.tmp
    2009-12-29 06:09:06 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2009-12-29 06:09:06 159232 ----a-w- c:\windows\system32\ptpusd.dll

    ==================== Find3M ====================

    2010-01-03 11:47:05 102400 ----a-w- c:\windows\system32\tandl.dll
    2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
    2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

    ============= FINISH: 22:44:28.46 ===============

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please post attach.txt part of DDS too. Try Sunbelt 2010 Data Decryption Tool on those "corrupted" (actually encrypted) files. Follow the instructions given behind the link.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    3

    Default

    Quote Originally Posted by Blade81 View Post
    Hi,

    Please post attach.txt part of DDS too. Try Sunbelt 2010 Data Decryption Tool on those "corrupted" (actually encrypted) files. Follow the instructions given behind the link.
    Here is the Attach file . Im not exactly sure what do do with this sunbelt link but im going to investigate.

    Thanks so much for your help.

    One thing Im not clear on. Data doctor is not installed on my computer. I managed to find the ddsetup.exe and delete it. So the program never actually installed. But whatever the vehicle is that installed the malware it is still active on my computer. Thats why i get the windows file protection messages and my IE and firefox and email and other programs are not working. Will the sunbelt link still help me?

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    3

    Default

    I read the detail on the sunbelt decryption tool. I have not come across any encrypted files.

    I believe whatever I have replaced alot of the files in my c:\WINDOWS\system32\dllcache folder. There are many entries like the one's in the attached file(its a .jpg file). I found these files by running youruninstaller and searching for temp files. There are 449 of these files, I took a picture of just a few of them. I deleted all the temp files and they are now in my recycled bin. The date and time of these files correspond to when i first encountered this virus/trojan.

  5. #5
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    As I told earlier, the infection encrypts files and then shows messages about corrupted files to convince user to believe suggested repair software is needed to correct the issue. That's pure scam.

    Start MBAM, update its definitions on update tab. Run a quick scan (let it delete found items) and post back the report it creates.


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.


    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •