Adlice forum

General Category => Malware removal help => Topic started by: deppc on May 13, 2015, 11:29:08 pm

Title: Rootkit removal assistance
Post by: deppc on May 13, 2015, 11:29:08 pm
Hi there. Some days ago i downloaded a game that many users said it has a bitcoin miner and suggested to download roguekiller. All ok with the scan, no obvious viruses, but i'm a newbie about rootkits and how i should and which to remove. i would be gladful if you help me, here is my rootkit report:

Antirootkit : 32 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x74811501 (jmp 0xfd774e11|jmp 0xffffef9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtUnmapViewOfSection : Unknown @ 0x74811599 (jmp 0xfd774e89|jmp 0xffffef02|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSuspendThread : Unknown @ 0x74811f19 (jmp 0xfd774119|jmp 0xffffe582|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetContextThread : Unknown @ 0x74811b89 (jmp 0xfd774089|jmp 0xffffe912|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x748138a1 (jmp 0xfd776f31|jmp 0xffffcbfa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateSection : Unknown @ 0x74814059 (jmp 0xfd777749|jmp 0xffffc442|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetInformationProcess : Unknown @ 0x748129c9 (jmp 0xfd776399|jmp 0xffffdad2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x74812af9 (jmp 0xfd774e19|jmp 0xffffd9a2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetValueKey : Unknown @ 0x74814189 (jmp 0xfd777719|jmp 0xffffc312|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenFile : Unknown @ 0x74813479 (jmp 0xfd776cd9|jmp 0xffffd022|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtTerminateProcess : Unknown @ 0x74812931 (jmp 0xfd776201|jmp 0xffffdb6a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) KERNELBASE.dll - CreateProcessInternalW : Unknown @ 0x74811a59 (jmp 0xfd9d1b99|jmp 0xffffea42|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDuplicateObject : Unknown @ 0x74811d51 (jmp 0xfd775521|jmp 0xffffe74a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x74811af1 (jmp 0xfd7752e1|jmp 0xffffe9aa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateMutant : Unknown @ 0x74813f29 (jmp 0xfd777059|jmp 0xffffc572|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcess : Unknown @ 0x74811c21 (jmp 0xfd775551|jmp 0xffffe87a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenSection : Unknown @ 0x74813fc1 (jmp 0xfd7777e1|jmp 0xffffc4da|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlCreateProcessParametersEx : Unknown @ 0x74812769 (jmp 0xfd7acc59|jmp 0xffffdd32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateThreadEx : Unknown @ 0x748117f9 (jmp 0xfd774879|jmp 0xffffeca2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueueApcThread : Unknown @ 0x74811cb9 (jmp 0xfd7753f9|jmp 0xffffe7e2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) KERNEL32.DLL - CreateToolhelp32Snapshot : Unknown @ 0x74811e81 (jmp 0xffee8611|jmp 0xffffe61a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) MSVCR120.dll - fopen : Unknown @ 0x74813df9 (jmp 0x1fe2035|jmp 0xffffc6a2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageW : Unknown @ 0x748133e1 (jmp 0xfdb98731|jmp 0xffffd0ba|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageA : Unknown @ 0x74813219 (jmp 0xfdb6d479|jmp 0xffffd282|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageA : Unknown @ 0x74813349 (jmp 0xfdb93079|jmp 0xffffd152|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtVdmControl : Unknown @ 0x748130e9 (jmp 0xfd7751c9|jmp 0xffffd3b2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtLoadDriver : Unknown @ 0x74812a61 (jmp 0xfd7756d1|jmp 0xffffda3a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageW : Unknown @ 0x748132b1 (jmp 0xfdb98e91|jmp 0xffffd1ea|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWinEventHook : Unknown @ 0x74812049 (jmp 0xfdb8ee29|jmp 0xffffe452|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExW : Unknown @ 0x748116c9 (jmp 0xfdb8b729|jmp 0xffffedd2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExA : Unknown @ 0x74811631 (jmp 0xfdb6c051|jmp 0xffffee6a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) KERNEL32.DLL - GetStartupInfoA : Unknown @ 0x74813051 (jmp 0xffefa071|jmp 0xffffd44a|call 0x1fe)
Title: Re: Rootkit removal assistance
Post by: Curson on May 15, 2015, 03:59:30 pm
Hi deppc,

Welcome to Forum.
Quote from: deppc
Some days ago i downloaded a game that many users said it has a bitcoin miner and suggested to download roguekiller.
Why did you install it knowing that ?  ::)

Copy/paste the full rapport generated by RogueKiller in your next reply.

Title: Re: Rootkit removal assistance
Post by: deppc on May 15, 2015, 07:08:20 pm
HI, thanks for replying. Well after one week that i was playing normally the game and it crashed, i went again to the torrent's comment section so it was mentioned something about this, and newer comments saying about the bitcoin miner.  ::)  :o
bitdefender is clear, deleted some PUPs and PUMs through Malwarebytes, and here is my Roguekiller report
Title: Re: Rootkit removal assistance
Post by: Curson on May 19, 2015, 01:17:31 pm
Hi deppc,

Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\) as well as MalwareBytes' Anti-Malware report in your next reply.