68 replies to this topic

[samwalker85]

i am new to malware bytes i am using the free version the question i have is that i recently started having a lot of problems with my computer
slow speed, hardrive space usage showing different at different times, interent explorere will open two windows sometimes instead of one, recurring trojan detection by my regular virus software(nortan security suit)
so finally i decided to download malware bytes version 6.21 (i think) now it found 23 threats from registries and files and nortant had not found any when i scanned this morning so i am not sure which is saying the truth
also some of the files detected are registry files and i am not aware of their implications
and i had read that malware bytes is not the best against rootkit and i would like to know more about that if somebody can help. if you want i can attach a copy of the log that malware bytes made after the scan.

[MrCharlie]

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[samwalker85]

i am infected and downloaded malware bytes i did full scan and found 23 viruses
upon reviewing some of them online i found out that not all are bad so i wanted to find some help on what to do now.
my computer has slowed down a lot, the hard disk behaves irrationally and shows different empty space left at different times(sometimes 7 Gb sometimes 3GB and sometimes 700MB) internet explorer keeps redirecting itself to unknown websites. sometimes when i open a site two web pages open simultaneously. i found that i was being redirected by atdmt.com and by redirect.ad-feeds.com that what the source said. just saying.
also when i was told by the expert about downloading dds i did what the expert said and have made two copies of text documents.
i am going to use rogue killer as requested by the expert and attach the two txt documents to this post. thank you once more for the help. i am sstill new to this so remind me if i make any mistakes.

Attached Files

•  DDS.txt   19.24K   12 downloads
•  Attach.txt   29.67K   9 downloads

[MrCharlie]

Can you post the log from RogueKiller.

MrC

[samwalker85]

heres the report by rogue killer------->

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Soham [Admin rights]
Mode: Scan -- Date: 07/20/2012 11:52:38
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 11 ¤¤¤
[SUSP PATH] 82960840.job @ : C:\Users\Soham\AppData\Local\Temp\\setup3675677888.exe -> FOUND
[SUSP PATH] win402b40.job @ : C:\Users\Soham\AppData\Local\Temp\win402b40.dat -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:52848) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[Tr.Karagany][FOLDER] plugs : c:\users\soham\appdata\roaming\adobe\plugs --> FOUND
[Tr.Karagany][FOLDER] shed : c:\users\soham\appdata\roaming\adobe\shed --> FOUND
[Faked.Drv][FAKED] tdx.sys : c:\windows\system32\drivers\tdx.sys --> CANNOT FIX
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x824975C3 -> HOOKED (Unknown @ 0x892F80B0)
SSDT[14] : NtAlertThread @ 0x82410255 -> HOOKED (Unknown @ 0x892F8190)
SSDT[18] : NtAllocateVirtualMemory @ 0x8244C4FB -> HOOKED (Unknown @ 0x89384218)
SSDT[21] : NtAlpcConnectPort @ 0x823EE887 -> HOOKED (Unknown @ 0x892A06A8)
SSDT[42] : NtAssignProcessToJobObject @ 0x823C1B43 -> HOOKED (Unknown @ 0x87016948)
SSDT[67] : NtCreateMutant @ 0x82424812 -> HOOKED (Unknown @ 0x870167C0)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x823C435A -> HOOKED (Unknown @ 0x892F87B0)
SSDT[78] : NtCreateThread @ 0x82495BE0 -> HOOKED (Unknown @ 0x8930FD98)
SSDT[116] : NtDebugActiveProcess @ 0x82468D22 -> HOOKED (Unknown @ 0x892F83E0)
SSDT[129] : NtDuplicateObject @ 0x823FC551 -> HOOKED (Unknown @ 0x8930E148)
SSDT[147] : NtFreeVirtualMemory @ 0x82288F1D -> HOOKED (Unknown @ 0x89198150)
SSDT[156] : NtImpersonateAnonymousToken @ 0x823BEF12 -> HOOKED (Unknown @ 0x8930EEB0)
SSDT[158] : NtImpersonateThread @ 0x823D454F -> HOOKED (Unknown @ 0x8930EF90)
SSDT[165] : NtLoadDriver @ 0x8236FDEE -> HOOKED (Unknown @ 0x892A0610)
SSDT[177] : NtMapViewOfSection @ 0x8241489A -> HOOKED (Unknown @ 0x893848D8)
SSDT[184] : NtOpenEvent @ 0x823FDDCF -> HOOKED (Unknown @ 0x89310510)
SSDT[194] : NtOpenProcess @ 0x82424FAE -> HOOKED (Unknown @ 0x891989C0)
SSDT[195] : NtOpenProcessToken @ 0x82405A2E -> HOOKED (Unknown @ 0x89384308)
SSDT[197] : NtOpenSection @ 0x8241566D -> HOOKED (Unknown @ 0x892F8270)
SSDT[201] : NtOpenThread @ 0x824204FF -> HOOKED (Unknown @ 0x89384AD8)
SSDT[210] : NtProtectVirtualMemory @ 0x8241E2E2 -> HOOKED (Unknown @ 0x892F8960)
SSDT[282] : NtResumeThread @ 0x8241FB4A -> HOOKED (Unknown @ 0x892F84E0)
SSDT[289] : NtSetContextThread @ 0x8249706F -> HOOKED (Unknown @ 0x892F8008)
SSDT[305] : NtSetInformationProcess @ 0x824188C8 -> HOOKED (Unknown @ 0x89384708)
SSDT[317] : NtSetSystemInformation @ 0x823EAEEB -> HOOKED (Unknown @ 0x892F8540)
SSDT[330] : NtSuspendProcess @ 0x824974FF -> HOOKED (Unknown @ 0x892F82A8)
SSDT[331] : NtSuspendThread @ 0x8239E92B -> HOOKED (Unknown @ 0x87016808)
SSDT[334] : NtTerminateProcess @ 0x823F5143 -> HOOKED (Unknown @ 0x89198D80)
SSDT[335] : NtTerminateThread @ 0x82420534 -> HOOKED (Unknown @ 0x893849E0)
SSDT[348] : NtUnmapViewOfSection @ 0x82414B5D -> HOOKED (Unknown @ 0x893847F8)
SSDT[358] : NtWriteVirtualMemory @ 0x8241192D -> HOOKED (Unknown @ 0x89384058)
SSDT[382] : NtCreateThreadEx @ 0x8241FFE9 -> HOOKED (Unknown @ 0x892F8880)
S_SSDT[317] : Unknown -> HOOKED (Unknown @ 0x89270BE0)
S_SSDT[397] : Unknown -> HOOKED (Unknown @ 0x892B1A48)
S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x892B1988)
S_SSDT[430] : Unknown -> HOOKED (Unknown @ 0x892E0340)
S_SSDT[442] : Unknown -> HOOKED (Unknown @ 0x892E0400)
S_SSDT[479] : Unknown -> HOOKED (Unknown @ 0x8770ECA8)
S_SSDT[497] : Unknown -> HOOKED (Unknown @ 0x892B18B8)
S_SSDT[498] : Unknown -> HOOKED (Unknown @ 0x892B17E8)
S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x892E0558)
S_SSDT[576] : Unknown -> HOOKED (Unknown @ 0x89B172B0)
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD6400AAKS-75A7B0 ATA Device +++++
--- User ---
[MBR] 47a7efb85490317b03902aeb92efe73c
[BSP] 7b8e47267250a06aa39260c2dc400db6 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 600184 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt

[samwalker85]

i didnt mean to post it in PM i didnt know it was PM i was just replying to where my message was transfered.....i would like to remind oyu again i am new to this. but thank you for help in advance

[MrCharlie]

OK, run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest:

Quote

[SUSP PATH] 82960840.job @ : C:\Users\Soham\AppData\Local\Temp\\setup3675677888.exe -> FOUND
[SUSP PATH] win402b40.job @ : C:\Users\Soham\AppData\Local\Temp\win402b40.dat -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

Now click Delete on the right hand column under Options

Repeat the process for these under Files:
Click on the > put a check next to these and uncheck the rest
Click on Delete

Quote

¤¤¤ Particular Files / Folders: ¤¤¤
[Tr.Karagany][FOLDER] plugs : c:\users\soham\appdata\roaming\adobe\plugs --> FOUND
[Tr.Karagany][FOLDER] shed : c:\users\soham\appdata\roaming\adobe\shed --> FOUND

Repeat the process for this under Proxy:

Quote

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:52848) -> FOUND

----------


Then.......


Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[samwalker85]

I tried deleting proxy and it says not removed use proxyfix

[MrCharlie]

samwalker85, on 21 July 2012 - 11:18 PM, said:

I tried deleting proxy and it says not removed use proxyfix

You have to click on the "Fix Proxy" button, sorry for the confusion.

MrC

[samwalker85]

Ok I tried combo fix and guess what
My computer kept on going on a cycle of restarts
Like it kept on restarting by itself
I am sorry mr Charlie but your advice may not have been for the better
I am not sure what to do
Coz after all that mess I just shut it down
And the started it few hours later
And it said restart issues and needs to restore from an earlier point when it worked
And I had to click yes
I am so lost also theses advices are posted once everyday now I know they are helping for free but if I am in the middle of something new and something goes wrong who do I ask?
Me Charlie replies to stuff once everyday
So I need to wait for an answer untill the next day and virus problem still persistent
I need some better help please....

[MrCharlie]

Quote

I need some better help please....

You don't want my help anymore??

MrC

[samwalker85]

I am not saying I don't need your help any more
I need better help
I mean if I am in the middle of a new system scan with a powerful program like combo fix
And if something goes wrong coz computers and virus are not in my control how do I get in touch with you or someone
If you are free right now we can do it now
I need some more immediate help

[MrCharlie]

Quote

I am so lost also theses advices are posted once everyday now I know they are helping for free but if I am in the middle of something new and something goes wrong who do I ask?
Me Charlie replies to stuff once everyday
So I need to wait for an answer untill the next day and virus problem still persistent
I need some better help please....

You have to loose the attitude, I'm here all day long....from about 6:30 in the morning to about 11PM.

Quote

Me Charlie replies to stuff once everyday

I answer all post immediately when I can, I do have to sleep, eat, shower, etc.

I've been here all day long so far and answering posts continuously.

We may be in different parts of the world also!!

-------------------------------------------

How's is the computer now, does it boot up and Windows start??

MrC

[samwalker85]

I have absolutely no attitude
It's is sometimes hard to show your tone through messaging on a forum
If you read my earlier reply I even mentioned that I know you are doing me a favor but
Ok I can't keep arguing over same topic coz I am not sure there is a better way of explaining

Computer started when windows did system repair
I had dell dock and it's not working
My hp printer stuff isn't working
It still says that my recycle bin is corrupted and norton still keeps showing Trojan warnings
Do you have a new idea or better plan coz combo fix didn't do anything good instead ruined few good things

[samwalker85]

Is it possible to chat with you somewhere?
Like a live chat kind of a situation so that we can do something fast enough

[MrCharlie]

No, we work on the forum, MrC

[MrCharlie]

ComboFix creates a system restore point just before it runs, I suggest you use it to restore the computer to the way it was before you ran ComboFix.

You can even restore it before that, you have many restore point created.

MrC

[samwalker85]

So what now?
Any new idea?
Do you me to get a new report?

[MrCharlie]

Read my post before yours, MrC

[samwalker85]

I don't know how to restore from what combo fix made?