Author Topic: Annoying Addsupply adds making computer EXTREMELY SLOW. RougekillER Report!  (Read 9599 times)

0 Members and 1 Guest are viewing this topic.

May 19, 2015, 06:07:49 am

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
So i Have a really annoying malware infection, that opens tabs and windows and tells me my computers going to blow up haha. The most frustrating part is the computer runs extremely slow and freezes so much. Well the anti-root kit portion of rougekiller found some stuff in firefox.exe



RogueKiller V10.6.4.0 (x64) [May 18 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : FRANCISCO [Administrator]
Started from : C:\Users\FRANCISCO\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 05/18/2015  20:41:09

Processes : 0

Registry : 0

Tasks : 0

Files : 0

Hosts File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

Antirootkit : 40 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDuplicateObject : Unknown @ 0x749d1ed9 (jmp 0xfd7f2049|jmp 0xffffe6b2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtTerminateProcess : Unknown @ 0x749d2ab9 (jmp 0xfd7f2dbd|jmp 0xffffdad2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x749d15f1 (jmp 0xfd7f1955|jmp 0xffffef9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtUnmapViewOfSection : Unknown @ 0x749d1689 (jmp 0xfd7f19bd|jmp 0xffffef02|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSuspendThread : Unknown @ 0x749d20a1 (jmp 0xfd7f02e5|jmp 0xffffe4ea|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetContextThread : Unknown @ 0x749d1d11 (jmp 0xfd7f03a5|jmp 0xffffe87a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x749d4609 (jmp 0xfd7f4585|jmp 0xffffbf82|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueryInformationToken : Unknown @ 0x749d3bf1 (jmp 0xfd7f3ffd|jmp 0xffffc99a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlEqualSid : Unknown @ 0x749d3c89 (jmp 0xfd7d2ca8|jmp 0xffffc902|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcessToken : Unknown @ 0x749d3b59 (jmp 0xfd7f2a4d|jmp 0xffffca32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateSection : Unknown @ 0x749d4d29 (jmp 0xfd7f4d39|jmp 0xffffb862|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetInformationProcess : Unknown @ 0x749d2b51 (jmp 0xfd7f2fdd|jmp 0xffffda3a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenProcess : Unknown @ 0x749d1da9 (jmp 0xfd7f213d|jmp 0xffffe7e2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x749d2c81 (jmp 0xfd7f1051|jmp 0xffffd90a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtSetValueKey : Unknown @ 0x749d4e59 (jmp 0xfd7f4c49|jmp 0xffffb732|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenFile : Unknown @ 0x749d41e1 (jmp 0xfd7f4431|jmp 0xffffc3aa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x749d1c79 (jmp 0xfd7f1e19|jmp 0xffffe912|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlCreateProcessParametersEx : Unknown @ 0x749d28f1 (jmp 0xfd7b19a6|jmp 0xffffdc9a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtOpenSection : Unknown @ 0x749d4c91 (jmp 0xfd7f4e7d|jmp 0xffffb8fa|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateMutant : Unknown @ 0x749d4bf9 (jmp 0xfd7f4411|jmp 0xffffb992|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueueApcThread : Unknown @ 0x749d1e41 (jmp 0xfd7f1ed1|jmp 0xffffe74a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateThreadEx : Unknown @ 0x749d18e9 (jmp 0xfd7f0ff9|jmp 0xffffeca2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtAdjustPrivilegesToken : Unknown @ 0x749d3271 (jmp 0xfd7f3365|jmp 0xffffd31a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - CreateToolhelp32Snapshot : Unknown @ 0x749d2009 (jmp 0xfe1face2|jmp 0xffffe582|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - MoveFileExW : Unknown @ 0x749d2f79 (jmp 0xfe209474|jmp 0xffffd612|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) MSVCR120.dll - fopen : Unknown @ 0x749d4ac9 (jmp 0x23e2d05|jmp 0xffffbac2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageA : Unknown @ 0x749d3f81 (jmp 0xfddbc3ae|jmp 0xffffc60a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageA : Unknown @ 0x749d40b1 (jmp 0xfddb0507|jmp 0xffffc4da|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - PostMessageW : Unknown @ 0x749d4149 (jmp 0xfddb2ea4|jmp 0xffffc442|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtVdmControl : Unknown @ 0x749d3e51 (jmp 0xfd7f1f1d|jmp 0xffffc73a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtLoadDriver : Unknown @ 0x749d2be9 (jmp 0xfd7f1da9|jmp 0xffffd9a2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetMessageW : Unknown @ 0x749d4019 (jmp 0xfddbc737|jmp 0xffffc572|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWinEventHook : Unknown @ 0x749d21d1 (jmp 0xfddb33c8|jmp 0xffffe3ba|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExW : Unknown @ 0x749d17b9 (jmp 0xfddaa1b6|jmp 0xffffedd2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CryptAcquireContextW : Unknown @ 0x749d3601 (jmp 0xffc1574d|jmp 0xffffcf8a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CryptAcquireContextA : Unknown @ 0x749d3569 (jmp 0xffc1a3f0|jmp 0xffffd022|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - OpenServiceW : Unknown @ 0x749d2431 (jmp 0xffc15a45|jmp 0xffffe15a|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ADVAPI32.dll - CloseServiceHandle : Unknown @ 0x749d2859 (jmp 0xffc0f25d|jmp 0xffffdd32|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) kernel32.dll - GetStartupInfoA : Unknown @ 0x749d3db9 (jmp 0xfe222fb9|jmp 0xffffc7d2|call 0x1fe)
[IAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - SetWindowsHookExA : Unknown @ 0x749d1721 (jmp 0xfdda93c5|jmp 0xffffee6a|call 0x1fe)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MK5075GSX +++++
--- User ---
[MBR] d52cfca0948bfdb8fafd2b1f75803d75
[BSP] 82f00fa70d64970d7bd1aa3a308415b3 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 460564 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 946309120 | Size: 14875 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_05182015_201309.log - RKreport_DEL_05182015_201345.log - RKreport_DEL_05182015_201439.log - RKreport_DEL_05182015_201511.log
RKreport_DEL_05182015_201545.log - RKreport_DEL_05182015_201602.log - RKreport_DEL_05182015_201631.log - RKreport_DEL_05182015_201639.log

Reply #1May 19, 2015, 01:40:22 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Hi Perez_pancho,

Welcome to Adlice.com Forum.

1. Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
    Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system".
  • Click on Update Now to download the current database definitions, then click the Scan Now button.
    If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
The THREAT SCAN will automatically begin.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.

After rebooting the computer, copy and past the mbam.log in your next reply.

To retrieve the scan log information (Method 1) :
  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select the box next to Scan Log. Choose the most current scan.
  • Click the Export button and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
To retrieve the scan log information (Method 2) :
  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click the Export button and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
  • -- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
  • -- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
2. FRST

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Regards.

Reply #2May 21, 2015, 02:20:03 am

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Here is the Malware bytes and Farbardocuments.

I need help these things are driving me nuts, firefox is taking up about 1.7gb worth of memory when open!! All thse ads are making browsing unbearable!

Reply #3May 21, 2015, 07:59:57 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Hi Perez_pancho,

Could you please attach the file Addition.txt as well ?

Regards.

Reply #4May 25, 2015, 06:51:37 am

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
i ATTACHED the other file, though rouge killler didnt find aything in firefox.exe like it did in my first post. either way any help will be appreciated.

Reply #5May 25, 2015, 05:58:11 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Hi Perez_pancho,

I'm talking about the file named Addition.txt generated by FRST.
Quote from: Curson
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Coud you please attach this file in your next reply ?

Regards.

Reply #6May 25, 2015, 08:02:25 pm

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
okay found it! haha

Reply #7May 29, 2015, 12:49:40 am

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Anyone have an idea of what I can do?

Reply #8May 30, 2015, 01:16:25 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Hi Perez_pancho,

Please uninstall the following programs using Control Panel :
Quote
Safesoft Protector
Spy Hunter

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is the computer running ?

Regards.

Reply #9June 01, 2015, 05:20:27 am

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Its running a little better but I still have alot of advertisement, and still running very slow. and Malware bytes trying to block a bunch of websites.
d: best-deals-products.com
smpdr.com

I

Reply #10June 03, 2015, 12:10:30 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Hi Perez_pancho,

Could you please redo a full scan with RogueKiller and post it your next reply ?

Regards.

Reply #11June 05, 2015, 02:43:03 am

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Here it is

Reply #12June 14, 2015, 05:49:55 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Hi Perez_pancho,
  • Please download TDSSKiller and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

Reply #13July 01, 2015, 07:43:33 am

Perez_pancho

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Sorry for the late reply was out of state working for last 3 weeks. anyways here is the file attached, and the program didnt find anything harmful.

Reply #14July 03, 2015, 03:28:43 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Hi Perez_pancho,

Could you please generate a new FRST log ?

Regards.