Adlice forum

Software feedback => RogueKiller => Topic started by: neophyte on September 25, 2015, 05:27:34 AM

Title: IAT Hook
Post by: neophyte on September 25, 2015, 05:27:34 AM

There is some form of malware--possibly virus--affecting my computer. Maybe an hour ago I went on Amazon.com, clicked on a product and a weird tab opened up trying to sell me something. Last night I used all the programs listed on this reddit forum https://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/ (https://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/)

Apparently, they couldn't get everything. I just ran RogueKiller and it seemed to pick up an unidentified IAT Hook, but I don't know how to make heads or tails of it. I was hoping someone might be able to help me. If there isn't malware or virus here do you have any idea of what I might try next?

Thanks!

Title: Re: IAT Hook
Post by: Curson on September 28, 2015, 04:50:16 PM

Hi neophyte,

Welcome to Adlice.com Forum.
Could you please copy/paste Malwarebytes report in your next reply ?

The report you posted was generated with the 32 bits version of RogueKiller.
Please download RogueKiller (64 bits version) (http://www.adlice.com//?smd_process_download=1&download_id=2181), redo a full scan and post the report obtained in your next reply.

Regards.

Title: Re: IAT Hook
Post by: neophyte on September 30, 2015, 07:28:40 PM

I'm pretty sure I still have some malware. The moment I clicked on reply another tab randomly opneded. It had a blue screen and told me that I had a virus or something. Ugh

I attached it in a document because it was too long to copy and paste. Let me know if I need to copy/paste it into multiple posts--I tried several times, but even halving it was too long.

Title: Re: IAT Hook
Post by: Curson on September 30, 2015, 09:35:44 PM

Hi neophyte,

This is indeed suspicous.
Could you please attach Malwarebytes report in your next reply ?

Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please attach log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.

Regards.

Title: Re: IAT Hook
Post by: neophyte on October 01, 2015, 04:24:21 AM

Thanks for your response. Attached are the files you requested. The Malwarebytes scan identified three potential threats. I quarantined them--hopefully that was the right action.

Title: Re: IAT Hook
Post by: Curson on October 01, 2015, 04:18:25 PM

Hi neophyte,

Your computer is indeed infected.
I noticed you use cracking tools. Please keep in mind that some of them could be used to reinfect your computer.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

(http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)
Check Loaded Modules and Detect TDLFS file system.
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.

(http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)
Click Start Scan and allow the scan process to run.
If threats are detected select Skip for all of them unless I instruct you otherwise.
Click Continue

(http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)
Click Reboot computer

Please attach the file TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

Title: Re: IAT Hook
Post by: neophyte on October 02, 2015, 03:33:02 AM

The TDSSkiller didn't seem to find anything. Here are the logs.

Title: Re: IAT Hook
Post by: Curson on October 05, 2015, 02:18:30 PM

Hi neophyte,

The logs seems OK.
How is the computer running now ?

Regards.

Title: Re: IAT Hook
Post by: neophyte on October 05, 2015, 07:17:01 PM

I haven't had a problem since I wrote last. Shall we assume that everything is fixed?

Best.

Title: Re: IAT Hook
Post by: Curson on October 05, 2015, 07:42:24 PM

Hi neophyte,

Yes. :)
If something gone wrong again, please let me know.

Regards.

Title: Re: IAT Hook
Post by: neophyte on October 09, 2015, 09:02:38 PM

Damn. I just had more malware pop-up. I haven't gone to any sites that would contain it--unless a link from reddit accidentally took me to one. Any advice?

Title: Re: IAT Hook
Post by: Curson on October 10, 2015, 01:43:57 AM

Hi neophyte,

Could you please generate a new FRST log and attach it in your next reply ?

Regards.

Title: Re: IAT Hook
Post by: neophyte on October 10, 2015, 02:47:19 AM

Thanks for the speedy response. Here they are.

Title: Re: IAT Hook
Post by: Curson on October 12, 2015, 02:03:51 PM

Hi neophyte,

The logs are clean.

Please download Malwarebytes Anti-Malware (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe) and save it to your desktop.

Double-click on the setup file (mbam-setup.exe), then click on Run to install.
Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system".

Click on Update Now to download the current database definitions, then click the Scan Now button.
If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".

Launch a "FULL SCAN".
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.

After rebooting the computer, copy and past the mbam.log in your next reply.

To retrieve the scan log information (Method 1) :

Open Malwarebytes Anti-Malware.
Click the History Tab at the top and select Application Logs.
Select the box next to Scan Log. Choose the most current scan.
Click the Export button and save the log as a .txt file on your Desktop or another location.
Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the scan log information (Method 2) :

Open Malwarebytes Anti-Malware.
Click the Scan Tab at the top.
Click the View detailed log link on the right.
Click the Export button and save the log as a .txt file on your Desktop or another location.
Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:

-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

Regards.