Adlice forum
Software feedback => RogueKiller => Topic started by: Howard the Duck on April 18, 2016, 03:24:27 AM
-
I had an infection that was in a dll file originally - there was a lot of CPU slowdown until I was able to remove it - and since then have had to remove a number of things with Roguekiller. For a time there was nothing else showing up on subsequent scans except a PUM on my homepage that would return immediately on the next scan whenever I removed it. Now I'm getting a number of IRP hooks that are (as documented) not removable. They were not appearing before, which leads me to believe I'm still infected. I do not have the technical know-how to remove them without some advice, so any help would be greatly appreciated. I have attached my latest log as a text file.
-
Hi Howard,
Which security softwares are you using ?
Do you use CD/DVD drive emulator, like DAEMON Tools or similar ?
Regards.
Note : This thread has been moved to the "RogueKiller" section for clarity.
-
I use MalwareBytes Anti-Malware Premium for scanning and protection. When I first got infected I believe I removed the dll file with MalwareBytes but I was still getting a lot of CPU slowdown so I googled it and found someone who had the same problem (an infection in mdi064.dll). Someone replied recommending running both Roguekiller and Combofix (which I have used before) and after running both successfully, it seemed the infection was dealt with, aside from that PUM on my homepage. But then on a more recent scan those IRP hooks suddenly appeared (they hadn't been there previously).
I do use DAEMON Tools quite regularly. However I'd had it installed for a long time and only recently found these IRP hooks.
Thank you for moving this to the correct subforum.
-
Hi Howard,
I use MalwareBytes Anti-Malware Premium for scanning and protection. When I first got infected I believe I removed the dll file with MalwareBytes but I was still getting a lot of CPU slowdown so I googled it and found someone who had the same problem (an infection in mdi064.dll). Someone replied recommending running both Roguekiller and Combofix (which I have used before) and after running both successfully, it seemed the infection was dealt with, aside from that PUM on my homepage.
Did you follow a removal process on a security forum ? Could you please copy/paste MalwareBytes Anti-Malware report in your next reply ?
I do use DAEMON Tools quite regularly. However I'd had it installed for a long time and only recently found these IRP hooks.
The hooks may change depending of the version used.
Regards.
-
Thank you very much for your continued help.
This is the removal process I followed: http://www.bleepingcomputer.com/forums/t/509791/dwmexetrojanbitcoinminer-detected-by-malwarebytes/ I'm not the person who made that thread, I just followed the instuctions because it seemed like a similar infection.
As for the original MalwareBytes log, I had to do some digging through old results to find it, as I've done a number of scans with MalwareBytes since and they have all come back clean. The original scan (done on the 7th) found a virus in dwm.exe.
I then used Roguekiller and found more infected files, including mdi064.dll, which I also was able to remove. I included that log from Roguekiller as well.
The only thing things that are still showing up in Roguekiller are the IRP hooks, and MalwareBytes isn't showing any infected files in scans currently.
As for Daemon Tools, I have not recently updated it or reinstalled it or anything like that, and it doesn't appear to be running currently. Do you think that it could still be causing those hooks to show up? BTW the version of Daemon Tools is the 4.47 Lite version.
-
Hi Howard,
This is the removal process I followed: http://www.bleepingcomputer.com/forums/t/509791/dwmexetrojanbitcoinminer-detected-by-malwarebytes/ I'm not the person who made that thread, I just followed the instuctions because it seemed like a similar infection.
As for the original MalwareBytes log, I had to do some digging through old results to find it, as I've done a number of scans with MalwareBytes since and they have all come back clean. The original scan (done on the 7th) found a virus in dwm.exe.
I then used Roguekiller and found more infected files, including mdi064.dll, which I also was able to remove. I included that log from Roguekiller as well.
Thanks for your feedback. We are going to make sure the infection is now really gone.
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
As for Daemon Tools, I have not recently updated it or reinstalled it or anything like that, and it doesn't appear to be running currently. Do you think that it could still be causing those hooks to show up? BTW the version of Daemon Tools is the 4.47 Lite version.
According to the logs you just posted, you were using the 32 bits version of RogueKiller back then.
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
The antirootkit module was not working properly so the hooks weren't detected.
Regards.
-
I ran the Farbar Recovery tool and uploaded the logs.
As it turns out I was running Daemon Tools after all, and after closing it and running Roguekiller again those IRP hooks no longer showed up. However, the PUM on my homepage is still there - I'm still not sure what that is. I'm guessing it's most likely harmless?
-
Hi Howard,
I ran the Farbar Recovery tool and uploaded the logs.
Leftovers of the infection are still present.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
As it turns out I was running Daemon Tools after all, and after closing it and running Roguekiller again those IRP hooks no longer showed up.
I'm glad to hear that. :)
However, the PUM on my homepage is still there - I'm still not sure what that is. I'm guessing it's most likely harmless?
Yes, it's perfectly harmless.
For more information about PUMs (Potentially Unwanted Modification), please read RogueKiller Documentation (http://www.adlice.com/software/roguekiller/documentation/)
Regards.
-
Thank you!
Yeah my computer did need a restart. I noticed in the log that the fixlist was looking for Combofix, but I had removed it after I used it the first time because that other forum thread suggested deleting it. Should I redownload Combofix and run the fixlist again?
Here's the log for now.
And thanks for the reassurance about the PUM.
-
Hi Howard,
Yeah my computer did need a restart. I noticed in the log that the fixlist was looking for Combofix, but I had removed it after I used it the first time because that other forum thread suggested deleting it. Should I redownload Combofix and run the fixlist again?
No, you don't need to. The fix was looking for ComboFix to remove it.
You could now delete FRST and the files linked to it.
Thank you!
And thanks for the reassurance about the PUM.
You are welcome.
Your computer is now clean.
Regards.
-
Thank you so much for your help! It is greatly appreciated. Now I don't have to worry. :D
-
Hi Howard,
You are very welcome.
Regards.