Messages

1

Malware removal help / Re: Infected with Hook.IEAT. Eating all memory. Please help.

« on: August 20, 2015, 03:41:11 AM »

Had to wait a while before the process started running after I restarted the computer but here it is.

Too much text so I used pastebin since it wouldn't fit in the reply. I hope that works out?

FRST.txt

http://pastebin.com/1zZ08i9x

Addition.txt

http://pastebin.com/HbYwSHVC

/ Jacob

2

Malware removal help / Re: Infected with Hook.IEAT. Eating all memory. Please help.

« on: August 19, 2015, 06:38:16 PM »

Cheers!

Here is the latest Roguekiller log.

RogueKiller V10.10.1.0 (x64) [Aug 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jacobens [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 08/19/2015 13:15:23

¤¤¤ Processes : 2 ¤¤¤
[Proc.Injected] iexplore.exe(5428) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Proc.Injected] iexplore.exe(3452) -- C:\Program Files\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5518317A-09C5-47FF-8CEC-F6D8077EA3DB} | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5518317A-09C5-47FF-8CEC-F6D8077EA3DB} | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW : Unknown @ 0x56792b2 (jmp 0x90018275|call 0x306c)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ LPK.dll) user32.DLL - MessageBeep : Unknown @ 0x567ac9d (jmp 0x8e60ec67)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ IMM32.DLL) user32.DLL - SetWindowPos : Unknown @ 0x56792eb (jmp 0x8e62049d|call 0x3070|jmp 0x25)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ IMM32.DLL) user32.DLL - ShowWindow : Unknown @ 0x5679330 (jmp 0x8e618535|call 0x302b|jmp 0x25)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ shell32.DLL) user32.DLL - SetForegroundWindow : Unknown @ 0x56792e6 (jmp 0x8e5fa176|call 0x3070|jmp 0x25)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ CLBCatQ.DLL) advapi32.DLL - RegQueryValueExW : Unknown @ 0x567a963 (jmp 0x8fcc634e)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ Flash32_18_0_0_232.ocx) winmm.dll - waveOutWrite : Unknown @ 0x567acaf (jmp 0x90845d34|jmp 0xd6|call 0xfffe724f)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 ATA Device +++++
--- User ---
[MBR] fa43237d720c81fcddb62387a135d2c8
[BSP] 3b5745a6888676fcf126c62d9d6cf5b4 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST31500341AS ATA Device +++++
--- User ---
[MBR] d2f672e1decfd1aecee5935fdc15d6b4
[BSP] ab88def906e35d777a66520bcfeb76f2 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WDC WD1500AHFD-00RAR5 ATA Device +++++
--- User ---
[MBR] 66d369bc063226dd0262422cd7910bea
[BSP] fb3b3a56cba24c34b05339176b740eef : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 142987 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: HP DPF USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: HP DPF USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: HP DPF USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

3

Malware removal help / Infected with Hook.IEAT. Eating all memory. Please help.

« on: August 18, 2015, 02:24:55 PM »

Hello!

I've got some kind of infection that eats away at my pc's resources in the form of iexplore.exe processes running in the background.
The processes start slowly but suddenly it drain all my memory and use a lot of processing power.
It even show up in the Task Manager application tab as Internet explorer windows with different website names on it.

I've tried to run some different removal programmes but so far nothing helps. Only thing that has found it so far is Roguekiller.

Attaching a print of the Roguekiller window with the processes shown.