Adlice forum

General Category => Malware removal help => Topic started by: NoobNeedsHelp on January 03, 2015, 04:54:44 PM

Title: help help help!
Post by: NoobNeedsHelp on January 03, 2015, 04:54:44 PM

Hello Admins.. I need help big time. I use Avast and it is driving me crazy blocking. I'm running at CPU between 30 and 40% and always over 90% physical memory. I've been running RK for a few months now almost daily and have read all your help files but I'm not PC literate enough to find and remove the hooks. I don't even know how to go about locating them. I also run Avast often and have to continuously delete Trojans from the quarantine list. HELP please?!?!?

PS: Unfortunately, even after removing the RK dated report logs from the bottom, my copy/past exceeded the character limit so a txt file is attached.

Sincerely frustrated,
 :(
NoobNeedsHelp

Title: Re: help help help!
Post by: Curson on January 04, 2015, 01:39:47 AM

Hello NoobNeedsHelp,

Welcome to Adlice.com Forum.
Could you please post Avast's log ? It could potentially help us locating the infection.

The MBR on your computer seems nonstandard.
Unknown MBRs are dumped into %programdata%/RogueKiller/debug/.

Please locate the file and attach it on your next post (you need to zip it first).

Regards.

Note : This thread has been moved to the "Malware removal help" section for clarity.

Title: Re: help help help!
Post by: NoobNeedsHelp on January 04, 2015, 05:03:32 AM

@Curson,

No where on my free Avast interface does it provide the ability to save or print-to-file and produce a log file and save. I also searched through the Avast folders and couldn't find one.

I'm currently running a search for the RK debug file you advised of... first using your search parameters which produced nothing. Second search on RogueKiller produced nothing. Currently I'm running a search on debug which is producing quite a bit and of course taking forever running at 97% physical memory while connected to the internet (reduced below 30 when not). I'll let you know when it's finished if there are any roguekiller debug files found when it is. By the way, I also couldn't locate any RK folders anywhere, but that could perhaps be because I followed the instructions, saved, and loaded it directly to my desktop.

So far all I am able to give you is that txt file attached in my initial post. I will keep you informed if I'm able to locate anything else. Any suggestions and/or directions to specific locations where I might navigate to in WE would be greatly appreciated!

Sincerely still frustrated,
NoobNeedsHelp  :-\

I've watched connecting to the internet and disconnecting with task manager up. There are two files after connection that continuously grow non-stop; iexplore.exe *32 and explorer.exe. There are always multiple instances of both and one explorer.exe has no User Name nor Description. The others all have my name and Internet or Windows Explorer as applicable.

Title: Re: help help help!
Post by: NoobNeedsHelp on January 04, 2015, 05:53:06 AM

@Curson I found two files in the debug folder.

Thanks again,
NNH  ???

Title: Re: help help help!
Post by: NoobNeedsHelp on January 04, 2015, 07:45:34 AM

Avast log files attached, only available immediately after running the scan.

NNH

Title: Re: help help help!
Post by: Curson on January 04, 2015, 04:32:58 PM

Hi NoobNeedsHelp,

At first sight, the MBR dump seems alright.

I just noticed you are using an outdated version of RogueKiller.
Please download the latest version HERE (http://www.adlice.com/fr//?smd_process_download=1&download_id=2181), redo a full scan and paste the content of the log file in your next post.

Regards.

Title: Re: help help help!
Post by: NoobNeedsHelp on January 04, 2015, 06:48:20 PM

Latest RK version log file attached.

NNH

Title: Re: help help help!
Post by: Tigzy on January 05, 2015, 10:44:06 AM

Hello
Sorry to disturb, just a quick thingy.

The hooks are legit, they are already whitelisted in the next release.
Could you upload the MBR dump (PhysicalDrive_something file) located in %programdata%/RogueKiller/debug ?
We will analyse it.

EDIT: I should have read the whole thread :p Here it is.

Title: Re: help help help!
Post by: Curson on January 05, 2015, 01:56:13 PM

Hi NoobNeedsHelp, Tigzy,

RogueKiller has not detected any malware and the logs of Avast you provided are not helping us either.
We need to investigate this more thoroughly.

1. Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe) and save it to your desktop.

• Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system".
  

• Click on Update Now to download the current database definitions, then click the Scan Now button.
  If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  

The THREAT SCAN will automatically begin.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.

After rebooting the computer, copy and past the mbam.log in your next reply.

To retrieve the scan log information (Method 1) :

• Open Malwarebytes Anti-Malware.
• Click the History Tab at the top and select Application Logs.
  
• Select the box next to Scan Log. Choose the most current scan.
  
• Click the Export button and save the log as a .txt file on your Desktop or another location.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the scan log information (Method 2) :

• Open Malwarebytes Anti-Malware.
• Click the Scan Tab at the top.
  
• Click the View detailed log link on the right.
  
• Click the Export button and save the log as a .txt file on your Desktop or another location.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:

• -- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
• -- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

2. OTL

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) by OldTimer and save the file to your desktop.

• Double-click on the setup file (OTL.exe)and select Run as Administrator to start the tool.
• Make sure that Scan All Users, LOP check and Purity check are ticked.
• For 64-bit systems only - make sure that Include 64-bit option is also ticked.
• Sections Processes, Modules, Services, Drivers, Standard Registry are set to Use Safelist.
• Section Extra Registry is also set to Use Safelist.

Push Run Scan and wait patiently.
Two notepad windows will be opened after this run: OTL.txt (maximized) and Extras.txt (minimized).

Please include the content of both logfiles in your next reply.

Regards.