Adlice forum

General Category => Malware removal help => Topic started by: Perez_pancho on May 19, 2015, 06:07:49 am

Title: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on May 19, 2015, 06:07:49 am
So i Have a really annoying malware infection, that opens tabs and windows and tells me my computers going to blow up haha. The most frustrating part is the computer runs extremely slow and freezes so much. Well the anti-root kit portion of rougekiller found some stuff in firefox.exe



RogueKiller V10.6.4.0 (x64) [May 18 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : FRANCISCO [Administrator]
Started from : C:\Users\FRANCISCO\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 05/18/2015  20:41:09

Processes : 0

Registry : 0

Tasks : 0

Files : 0

Hosts File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

Antirootkit : 40 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDuplicateObject : Unknown @ 0x749d1ed9 (jmp 0xfd7f2049|jmp 0xffffe6b2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtTerminateProcess : Unknown @ 0x749d2ab9 (jmp 0xfd7f2dbd|jmp 0xffffdad2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x749d15f1 (jmp 0xfd7f1955|jmp 0xffffef9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtUnmapViewOfSection : Unknown @ 0x749d1689 (jmp 0xfd7f19bd|jmp 0xffffef02|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSuspendThread : Unknown @ 0x749d20a1 (jmp 0xfd7f02e5|jmp 0xffffe4ea|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetContextThread : Unknown @ 0x749d1d11 (jmp 0xfd7f03a5|jmp 0xffffe87a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x749d4609 (jmp 0xfd7f4585|jmp 0xffffbf82|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueryInformationToken : Unknown @ 0x749d3bf1 (jmp 0xfd7f3ffd|jmp 0xffffc99a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlEqualSid : Unknown @ 0x749d3c89 (jmp 0xfd7d2ca8|jmp 0xffffc902|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcessToken : Unknown @ 0x749d3b59 (jmp 0xfd7f2a4d|jmp 0xffffca32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateSection : Unknown @ 0x749d4d29 (jmp 0xfd7f4d39|jmp 0xffffb862|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetInformationProcess : Unknown @ 0x749d2b51 (jmp 0xfd7f2fdd|jmp 0xffffda3a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcess : Unknown @ 0x749d1da9 (jmp 0xfd7f213d|jmp 0xffffe7e2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x749d2c81 (jmp 0xfd7f1051|jmp 0xffffd90a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetValueKey : Unknown @ 0x749d4e59 (jmp 0xfd7f4c49|jmp 0xffffb732|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenFile : Unknown @ 0x749d41e1 (jmp 0xfd7f4431|jmp 0xffffc3aa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x749d1c79 (jmp 0xfd7f1e19|jmp 0xffffe912|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlCreateProcessParametersEx : Unknown @ 0x749d28f1 (jmp 0xfd7b19a6|jmp 0xffffdc9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenSection : Unknown @ 0x749d4c91 (jmp 0xfd7f4e7d|jmp 0xffffb8fa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateMutant : Unknown @ 0x749d4bf9 (jmp 0xfd7f4411|jmp 0xffffb992|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueueApcThread : Unknown @ 0x749d1e41 (jmp 0xfd7f1ed1|jmp 0xffffe74a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateThreadEx : Unknown @ 0x749d18e9 (jmp 0xfd7f0ff9|jmp 0xffffeca2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtAdjustPrivilegesToken : Unknown @ 0x749d3271 (jmp 0xfd7f3365|jmp 0xffffd31a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - CreateToolhelp32Snapshot : Unknown @ 0x749d2009 (jmp 0xfe1face2|jmp 0xffffe582|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - MoveFileExW : Unknown @ 0x749d2f79 (jmp 0xfe209474|jmp 0xffffd612|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) MSVCR120.dll - fopen : Unknown @ 0x749d4ac9 (jmp 0x23e2d05|jmp 0xffffbac2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageA : Unknown @ 0x749d3f81 (jmp 0xfddbc3ae|jmp 0xffffc60a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageA : Unknown @ 0x749d40b1 (jmp 0xfddb0507|jmp 0xffffc4da|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageW : Unknown @ 0x749d4149 (jmp 0xfddb2ea4|jmp 0xffffc442|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtVdmControl : Unknown @ 0x749d3e51 (jmp 0xfd7f1f1d|jmp 0xffffc73a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtLoadDriver : Unknown @ 0x749d2be9 (jmp 0xfd7f1da9|jmp 0xffffd9a2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageW : Unknown @ 0x749d4019 (jmp 0xfddbc737|jmp 0xffffc572|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWinEventHook : Unknown @ 0x749d21d1 (jmp 0xfddb33c8|jmp 0xffffe3ba|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExW : Unknown @ 0x749d17b9 (jmp 0xfddaa1b6|jmp 0xffffedd2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CryptAcquireContextW : Unknown @ 0x749d3601 (jmp 0xffc1574d|jmp 0xffffcf8a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CryptAcquireContextA : Unknown @ 0x749d3569 (jmp 0xffc1a3f0|jmp 0xffffd022|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - OpenServiceW : Unknown @ 0x749d2431 (jmp 0xffc15a45|jmp 0xffffe15a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CloseServiceHandle : Unknown @ 0x749d2859 (jmp 0xffc0f25d|jmp 0xffffdd32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - GetStartupInfoA : Unknown @ 0x749d3db9 (jmp 0xfe222fb9|jmp 0xffffc7d2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExA : Unknown @ 0x749d1721 (jmp 0xfdda93c5|jmp 0xffffee6a|call 0x1fe)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MK5075GSX +++++
--- User ---
[MBR] d52cfca0948bfdb8fafd2b1f75803d75
[BSP] 82f00fa70d64970d7bd1aa3a308415b3 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 460564 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 946309120 | Size: 14875 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_05182015_201309.log - RKreport_DEL_05182015_201345.log - RKreport_DEL_05182015_201439.log - RKreport_DEL_05182015_201511.log
RKreport_DEL_05182015_201545.log - RKreport_DEL_05182015_201602.log - RKreport_DEL_05182015_201631.log - RKreport_DEL_05182015_201639.log
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Curson on May 19, 2015, 01:40:22 pm
Hi Perez_pancho,

Welcome to Adlice.com Forum.

1. Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe) and save it to your desktop.
The THREAT SCAN will automatically begin.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.

After rebooting the computer, copy and past the mbam.log in your next reply.

To retrieve the scan log information (Method 1) :
To retrieve the scan log information (Method 2) :
Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
2. FRST

Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
Regards.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on May 21, 2015, 02:20:03 am
Here is the Malware bytes and Farbardocuments.

I need help these things are driving me nuts, firefox is taking up about 1.7gb worth of memory when open!! All thse ads are making browsing unbearable!
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Curson on May 21, 2015, 07:59:57 am
Hi Perez_pancho,

Could you please attach the file Addition.txt as well ?

Regards.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on May 25, 2015, 06:51:37 am
i ATTACHED the other file, though rouge killler didnt find aything in firefox.exe like it did in my first post. either way any help will be appreciated.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Curson on May 25, 2015, 05:58:11 pm
Hi Perez_pancho,

I'm talking about the file named Addition.txt generated by FRST.
Quote from: Curson
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Coud you please attach this file in your next reply ?

Regards.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on May 25, 2015, 08:02:25 pm
okay found it! haha
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on May 29, 2015, 12:49:40 am
Anyone have an idea of what I can do?
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Curson on May 30, 2015, 01:16:25 am
Hi Perez_pancho,

Please uninstall the following programs using Control Panel :
Quote
Safesoft Protector
Spy Hunter

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is the computer running ?

Regards.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on June 01, 2015, 05:20:27 am
Its running a little better but I still have alot of advertisement, and still running very slow. and Malware bytes trying to block a bunch of websites.
d: best-deals-products.com
smpdr.com

I
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Curson on June 03, 2015, 12:10:30 pm
Hi Perez_pancho,

Could you please redo a full scan with RogueKiller and post it your next reply ?

Regards.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on June 05, 2015, 02:43:03 am
Here it is
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Curson on June 14, 2015, 05:49:55 pm
Hi Perez_pancho,
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Perez_pancho on July 01, 2015, 07:43:33 am
Sorry for the late reply was out of state working for last 3 weeks. anyways here is the file attached, and the program didnt find anything harmful.
Title: Re: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!
Post by: Curson on July 03, 2015, 03:28:43 pm
Hi Perez_pancho,

Could you please generate a new FRST log ?

Regards.