Author Topic: Rootkit removal assistance  (Read 7033 times)

0 Members and 1 Guest are viewing this topic.

May 13, 2015, 11:29:08 PM

deppc

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Rootkit removal assistance
« on: May 13, 2015, 11:29:08 PM »
Hi there. Some days ago i downloaded a game that many users said it has a bitcoin miner and suggested to download roguekiller. All ok with the scan, no obvious viruses, but i'm a newbie about rootkits and how i should and which to remove. i would be gladful if you help me, here is my rootkit report:

¤¤¤ Antirootkit : 32 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x74811501 (jmp 0xfd774e11|jmp 0xffffef9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtUnmapViewOfSection : Unknown @ 0x74811599 (jmp 0xfd774e89|jmp 0xffffef02|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSuspendThread : Unknown @ 0x74811f19 (jmp 0xfd774119|jmp 0xffffe582|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetContextThread : Unknown @ 0x74811b89 (jmp 0xfd774089|jmp 0xffffe912|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x748138a1 (jmp 0xfd776f31|jmp 0xffffcbfa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateSection : Unknown @ 0x74814059 (jmp 0xfd777749|jmp 0xffffc442|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetInformationProcess : Unknown @ 0x748129c9 (jmp 0xfd776399|jmp 0xffffdad2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x74812af9 (jmp 0xfd774e19|jmp 0xffffd9a2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetValueKey : Unknown @ 0x74814189 (jmp 0xfd777719|jmp 0xffffc312|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenFile : Unknown @ 0x74813479 (jmp 0xfd776cd9|jmp 0xffffd022|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtTerminateProcess : Unknown @ 0x74812931 (jmp 0xfd776201|jmp 0xffffdb6a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) KERNELBASE.dll - CreateProcessInternalW : Unknown @ 0x74811a59 (jmp 0xfd9d1b99|jmp 0xffffea42|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDuplicateObject : Unknown @ 0x74811d51 (jmp 0xfd775521|jmp 0xffffe74a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x74811af1 (jmp 0xfd7752e1|jmp 0xffffe9aa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateMutant : Unknown @ 0x74813f29 (jmp 0xfd777059|jmp 0xffffc572|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcess : Unknown @ 0x74811c21 (jmp 0xfd775551|jmp 0xffffe87a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenSection : Unknown @ 0x74813fc1 (jmp 0xfd7777e1|jmp 0xffffc4da|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlCreateProcessParametersEx : Unknown @ 0x74812769 (jmp 0xfd7acc59|jmp 0xffffdd32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateThreadEx : Unknown @ 0x748117f9 (jmp 0xfd774879|jmp 0xffffeca2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueueApcThread : Unknown @ 0x74811cb9 (jmp 0xfd7753f9|jmp 0xffffe7e2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) KERNEL32.DLL - CreateToolhelp32Snapshot : Unknown @ 0x74811e81 (jmp 0xffee8611|jmp 0xffffe61a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) MSVCR120.dll - fopen : Unknown @ 0x74813df9 (jmp 0x1fe2035|jmp 0xffffc6a2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageW : Unknown @ 0x748133e1 (jmp 0xfdb98731|jmp 0xffffd0ba|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageA : Unknown @ 0x74813219 (jmp 0xfdb6d479|jmp 0xffffd282|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageA : Unknown @ 0x74813349 (jmp 0xfdb93079|jmp 0xffffd152|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtVdmControl : Unknown @ 0x748130e9 (jmp 0xfd7751c9|jmp 0xffffd3b2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtLoadDriver : Unknown @ 0x74812a61 (jmp 0xfd7756d1|jmp 0xffffda3a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageW : Unknown @ 0x748132b1 (jmp 0xfdb98e91|jmp 0xffffd1ea|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWinEventHook : Unknown @ 0x74812049 (jmp 0xfdb8ee29|jmp 0xffffe452|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExW : Unknown @ 0x748116c9 (jmp 0xfdb8b729|jmp 0xffffedd2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExA : Unknown @ 0x74811631 (jmp 0xfdb6c051|jmp 0xffffee6a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) KERNEL32.DLL - GetStartupInfoA : Unknown @ 0x74813051 (jmp 0xffefa071|jmp 0xffffd44a|call 0x1fe)

Reply #1May 15, 2015, 03:59:30 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Rootkit removal assistance
« Reply #1 on: May 15, 2015, 03:59:30 PM »
Hi deppc,

Welcome to Adlice.com Forum.
Quote from: deppc
Some days ago i downloaded a game that many users said it has a bitcoin miner and suggested to download roguekiller.
Why did you install it knowing that ?  ::)

Copy/paste the full rapport generated by RogueKiller in your next reply.

Regards.

Reply #2May 15, 2015, 07:08:20 PM

deppc

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: Rootkit removal assistance
« Reply #2 on: May 15, 2015, 07:08:20 PM »
HI, thanks for replying. Well after one week that i was playing normally the game and it crashed, i went again to the torrent's comment section so it was mentioned something about this, and newer comments saying about the bitcoin miner.  ::)  :o
bitdefender is clear, deleted some PUPs and PUMs through Malwarebytes, and here is my Roguekiller report
 

Reply #3May 19, 2015, 01:17:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Rootkit removal assistance
« Reply #3 on: May 19, 2015, 01:17:31 PM »
Hi deppc,

  • Please download TDSSKiller and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\) as well as MalwareBytes' Anti-Malware report in your next reply.

Regards.