Adlice forum
General Category => Malware removal help => Topic started by: Perez_pancho on May 19, 2015, 06:07:49 AM
-
So i Have a really annoying malware infection, that opens tabs and windows and tells me my computers going to blow up haha. The most frustrating part is the computer runs extremely slow and freezes so much. Well the anti-root kit portion of rougekiller found some stuff in firefox.exe
RogueKiller V10.6.4.0 (x64) [May 18 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : FRANCISCO [Administrator]
Started from : C:\Users\FRANCISCO\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 05/18/2015 20:41:09
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 40 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDuplicateObject : Unknown @ 0x749d1ed9 (jmp 0xfd7f2049|jmp 0xffffe6b2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtTerminateProcess : Unknown @ 0x749d2ab9 (jmp 0xfd7f2dbd|jmp 0xffffdad2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x749d15f1 (jmp 0xfd7f1955|jmp 0xffffef9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtUnmapViewOfSection : Unknown @ 0x749d1689 (jmp 0xfd7f19bd|jmp 0xffffef02|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSuspendThread : Unknown @ 0x749d20a1 (jmp 0xfd7f02e5|jmp 0xffffe4ea|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetContextThread : Unknown @ 0x749d1d11 (jmp 0xfd7f03a5|jmp 0xffffe87a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x749d4609 (jmp 0xfd7f4585|jmp 0xffffbf82|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueryInformationToken : Unknown @ 0x749d3bf1 (jmp 0xfd7f3ffd|jmp 0xffffc99a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlEqualSid : Unknown @ 0x749d3c89 (jmp 0xfd7d2ca8|jmp 0xffffc902|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcessToken : Unknown @ 0x749d3b59 (jmp 0xfd7f2a4d|jmp 0xffffca32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateSection : Unknown @ 0x749d4d29 (jmp 0xfd7f4d39|jmp 0xffffb862|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetInformationProcess : Unknown @ 0x749d2b51 (jmp 0xfd7f2fdd|jmp 0xffffda3a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcess : Unknown @ 0x749d1da9 (jmp 0xfd7f213d|jmp 0xffffe7e2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x749d2c81 (jmp 0xfd7f1051|jmp 0xffffd90a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetValueKey : Unknown @ 0x749d4e59 (jmp 0xfd7f4c49|jmp 0xffffb732|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenFile : Unknown @ 0x749d41e1 (jmp 0xfd7f4431|jmp 0xffffc3aa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x749d1c79 (jmp 0xfd7f1e19|jmp 0xffffe912|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlCreateProcessParametersEx : Unknown @ 0x749d28f1 (jmp 0xfd7b19a6|jmp 0xffffdc9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenSection : Unknown @ 0x749d4c91 (jmp 0xfd7f4e7d|jmp 0xffffb8fa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateMutant : Unknown @ 0x749d4bf9 (jmp 0xfd7f4411|jmp 0xffffb992|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueueApcThread : Unknown @ 0x749d1e41 (jmp 0xfd7f1ed1|jmp 0xffffe74a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateThreadEx : Unknown @ 0x749d18e9 (jmp 0xfd7f0ff9|jmp 0xffffeca2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtAdjustPrivilegesToken : Unknown @ 0x749d3271 (jmp 0xfd7f3365|jmp 0xffffd31a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - CreateToolhelp32Snapshot : Unknown @ 0x749d2009 (jmp 0xfe1face2|jmp 0xffffe582|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - MoveFileExW : Unknown @ 0x749d2f79 (jmp 0xfe209474|jmp 0xffffd612|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) MSVCR120.dll - fopen : Unknown @ 0x749d4ac9 (jmp 0x23e2d05|jmp 0xffffbac2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageA : Unknown @ 0x749d3f81 (jmp 0xfddbc3ae|jmp 0xffffc60a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageA : Unknown @ 0x749d40b1 (jmp 0xfddb0507|jmp 0xffffc4da|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageW : Unknown @ 0x749d4149 (jmp 0xfddb2ea4|jmp 0xffffc442|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtVdmControl : Unknown @ 0x749d3e51 (jmp 0xfd7f1f1d|jmp 0xffffc73a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtLoadDriver : Unknown @ 0x749d2be9 (jmp 0xfd7f1da9|jmp 0xffffd9a2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageW : Unknown @ 0x749d4019 (jmp 0xfddbc737|jmp 0xffffc572|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWinEventHook : Unknown @ 0x749d21d1 (jmp 0xfddb33c8|jmp 0xffffe3ba|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExW : Unknown @ 0x749d17b9 (jmp 0xfddaa1b6|jmp 0xffffedd2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CryptAcquireContextW : Unknown @ 0x749d3601 (jmp 0xffc1574d|jmp 0xffffcf8a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CryptAcquireContextA : Unknown @ 0x749d3569 (jmp 0xffc1a3f0|jmp 0xffffd022|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - OpenServiceW : Unknown @ 0x749d2431 (jmp 0xffc15a45|jmp 0xffffe15a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CloseServiceHandle : Unknown @ 0x749d2859 (jmp 0xffc0f25d|jmp 0xffffdd32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - GetStartupInfoA : Unknown @ 0x749d3db9 (jmp 0xfe222fb9|jmp 0xffffc7d2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExA : Unknown @ 0x749d1721 (jmp 0xfdda93c5|jmp 0xffffee6a|call 0x1fe)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK5075GSX +++++
--- User ---
[MBR] d52cfca0948bfdb8fafd2b1f75803d75
[BSP] 82f00fa70d64970d7bd1aa3a308415b3 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 460564 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 946309120 | Size: 14875 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_SCN_05182015_201309.log - RKreport_DEL_05182015_201345.log - RKreport_DEL_05182015_201439.log - RKreport_DEL_05182015_201511.log
RKreport_DEL_05182015_201545.log - RKreport_DEL_05182015_201602.log - RKreport_DEL_05182015_201631.log - RKreport_DEL_05182015_201639.log
-
Hi Perez_pancho,
Welcome to Adlice.com Forum.
1. Malwarebytes Anti-Malware
Please download Malwarebytes Anti-Malware (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe) and save it to your desktop.
- Double-click on the setup file (mbam-setup.exe), then click on Run to install.
Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system".
- Click on Update Now to download the current database definitions, then click the Scan Now button.
If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
The THREAT SCAN will automatically begin.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.
After rebooting the computer, copy and past the mbam.log in your next reply.
To retrieve the scan log information (Method 1) :
- Open Malwarebytes Anti-Malware.
- Click the History Tab at the top and select Application Logs.
- Select the box next to Scan Log. Choose the most current scan.
- Click the Export button and save the log as a .txt file on your Desktop or another location.
- Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
To retrieve the scan log information (Method 2) :
- Open Malwarebytes Anti-Malware.
- Click the Scan Tab at the top.
- Click the View detailed log link on the right.
- Click the Export button and save the log as a .txt file on your Desktop or another location.
- Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
- -- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
- -- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
2. FRST
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Regards.
-
Here is the Malware bytes and Farbardocuments.
I need help these things are driving me nuts, firefox is taking up about 1.7gb worth of memory when open!! All thse ads are making browsing unbearable!
-
Hi Perez_pancho,
Could you please attach the file Addition.txt as well ?
Regards.
-
i ATTACHED the other file, though rouge killler didnt find aything in firefox.exe like it did in my first post. either way any help will be appreciated.
-
Hi Perez_pancho,
I'm talking about the file named Addition.txt generated by FRST.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Coud you please attach this file in your next reply ?
Regards.
-
okay found it! haha
-
Anyone have an idea of what I can do?
-
Hi Perez_pancho,
Please uninstall the following programs using Control Panel :
Safesoft Protector
Spy Hunter
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
How is the computer running ?
Regards.
-
Its running a little better but I still have alot of advertisement, and still running very slow. and Malware bytes trying to block a bunch of websites.
d: best-deals-products.com
smpdr.com
I
-
Hi Perez_pancho,
Could you please redo a full scan with RogueKiller and post it your next reply ?
Regards.
-
Here it is
-
Hi Perez_pancho,
- Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
(http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)
- Check Loaded Modules and Detect TDLFS file system.
- If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
(http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)
- Click Start Scan and allow the scan process to run.
If threats are detected select Skip for all of them unless I instruct you otherwise.
- Click Continue
(http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)
- Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Regards.
-
Sorry for the late reply was out of state working for last 3 weeks. anyways here is the file attached, and the program didnt find anything harmful.
-
Hi Perez_pancho,
Could you please generate a new FRST log ?
Regards.