samwalker85

Not sure what is false positive

69 posts in this topic

i am new to malware bytes i am using the free version the question i have is that i recently started having a lot of problems with my computer

slow speed, hardrive space usage showing different at different times, interent explorere will open two windows sometimes instead of one, recurring trojan detection by my regular virus software(nortan security suit)

so finally i decided to download malware bytes version 6.21 (i think) now it found 23 threats from registries and files and nortant had not found any when i scanned this morning so i am not sure which is saying the truth

also some of the files detected are registry files and i am not aware of their implications

and i had read that malware bytes is not the best against rootkit and i would like to know more about that if somebody can help. if you want i can attach a copy of the log that malware bytes made after the scan.

Share this post


Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Share this post


Link to post
Share on other sites

i am infected and downloaded malware bytes i did full scan and found 23 viruses

upon reviewing some of them online i found out that not all are bad so i wanted to find some help on what to do now.

my computer has slowed down a lot, the hard disk behaves irrationally and shows different empty space left at different times(sometimes 7 Gb sometimes 3GB and sometimes 700MB) internet explorer keeps redirecting itself to unknown websites. sometimes when i open a site two web pages open simultaneously. i found that i was being redirected by atdmt.com and by redirect.ad-feeds.com that what the source said. just saying.

also when i was told by the expert about downloading dds i did what the expert said and have made two copies of text documents.

i am going to use rogue killer as requested by the expert and attach the two txt documents to this post. thank you once more for the help. i am sstill new to this so remind me if i make any mistakes.

DDS.txt

Attach.txt

Share this post


Link to post
Share on other sites

Can you post the log from RogueKiller.

MrC

Share this post


Link to post
Share on other sites

heres the report by rogue killer------->

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo...13-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: Soham [Admin rights]

Mode: Scan -- Date: 07/20/2012 11:52:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 11 ¤¤¤

[sUSP PATH] 82960840.job @ : C:\Users\Soham\AppData\Local\Temp\\setup3675677888.exe -> FOUND

[sUSP PATH] win402b40.job @ : C:\Users\Soham\AppData\Local\Temp\win402b40.dat -> FOUND

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:52848) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[Tr.Karagany][FOLDER] plugs : c:\users\soham\appdata\roaming\adobe\plugs --> FOUND

[Tr.Karagany][FOLDER] shed : c:\users\soham\appdata\roaming\adobe\shed --> FOUND

[Faked.Drv][FAKED] tdx.sys : c:\windows\system32\drivers\tdx.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[13] : NtAlertResumeThread @ 0x824975C3 -> HOOKED (Unknown @ 0x892F80B0)

SSDT[14] : NtAlertThread @ 0x82410255 -> HOOKED (Unknown @ 0x892F8190)

SSDT[18] : NtAllocateVirtualMemory @ 0x8244C4FB -> HOOKED (Unknown @ 0x89384218)

SSDT[21] : NtAlpcConnectPort @ 0x823EE887 -> HOOKED (Unknown @ 0x892A06A8)

SSDT[42] : NtAssignProcessToJobObject @ 0x823C1B43 -> HOOKED (Unknown @ 0x87016948)

SSDT[67] : NtCreateMutant @ 0x82424812 -> HOOKED (Unknown @ 0x870167C0)

SSDT[77] : NtCreateSymbolicLinkObject @ 0x823C435A -> HOOKED (Unknown @ 0x892F87B0)

SSDT[78] : NtCreateThread @ 0x82495BE0 -> HOOKED (Unknown @ 0x8930FD98)

SSDT[116] : NtDebugActiveProcess @ 0x82468D22 -> HOOKED (Unknown @ 0x892F83E0)

SSDT[129] : NtDuplicateObject @ 0x823FC551 -> HOOKED (Unknown @ 0x8930E148)

SSDT[147] : NtFreeVirtualMemory @ 0x82288F1D -> HOOKED (Unknown @ 0x89198150)

SSDT[156] : NtImpersonateAnonymousToken @ 0x823BEF12 -> HOOKED (Unknown @ 0x8930EEB0)

SSDT[158] : NtImpersonateThread @ 0x823D454F -> HOOKED (Unknown @ 0x8930EF90)

SSDT[165] : NtLoadDriver @ 0x8236FDEE -> HOOKED (Unknown @ 0x892A0610)

SSDT[177] : NtMapViewOfSection @ 0x8241489A -> HOOKED (Unknown @ 0x893848D8)

SSDT[184] : NtOpenEvent @ 0x823FDDCF -> HOOKED (Unknown @ 0x89310510)

SSDT[194] : NtOpenProcess @ 0x82424FAE -> HOOKED (Unknown @ 0x891989C0)

SSDT[195] : NtOpenProcessToken @ 0x82405A2E -> HOOKED (Unknown @ 0x89384308)

SSDT[197] : NtOpenSection @ 0x8241566D -> HOOKED (Unknown @ 0x892F8270)

SSDT[201] : NtOpenThread @ 0x824204FF -> HOOKED (Unknown @ 0x89384AD8)

SSDT[210] : NtProtectVirtualMemory @ 0x8241E2E2 -> HOOKED (Unknown @ 0x892F8960)

SSDT[282] : NtResumeThread @ 0x8241FB4A -> HOOKED (Unknown @ 0x892F84E0)

SSDT[289] : NtSetContextThread @ 0x8249706F -> HOOKED (Unknown @ 0x892F8008)

SSDT[305] : NtSetInformationProcess @ 0x824188C8 -> HOOKED (Unknown @ 0x89384708)

SSDT[317] : NtSetSystemInformation @ 0x823EAEEB -> HOOKED (Unknown @ 0x892F8540)

SSDT[330] : NtSuspendProcess @ 0x824974FF -> HOOKED (Unknown @ 0x892F82A8)

SSDT[331] : NtSuspendThread @ 0x8239E92B -> HOOKED (Unknown @ 0x87016808)

SSDT[334] : NtTerminateProcess @ 0x823F5143 -> HOOKED (Unknown @ 0x89198D80)

SSDT[335] : NtTerminateThread @ 0x82420534 -> HOOKED (Unknown @ 0x893849E0)

SSDT[348] : NtUnmapViewOfSection @ 0x82414B5D -> HOOKED (Unknown @ 0x893847F8)

SSDT[358] : NtWriteVirtualMemory @ 0x8241192D -> HOOKED (Unknown @ 0x89384058)

SSDT[382] : NtCreateThreadEx @ 0x8241FFE9 -> HOOKED (Unknown @ 0x892F8880)

S_SSDT[317] : Unknown -> HOOKED (Unknown @ 0x89270BE0)

S_SSDT[397] : Unknown -> HOOKED (Unknown @ 0x892B1A48)

S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x892B1988)

S_SSDT[430] : Unknown -> HOOKED (Unknown @ 0x892E0340)

S_SSDT[442] : Unknown -> HOOKED (Unknown @ 0x892E0400)

S_SSDT[479] : Unknown -> HOOKED (Unknown @ 0x8770ECA8)

S_SSDT[497] : Unknown -> HOOKED (Unknown @ 0x892B18B8)

S_SSDT[498] : Unknown -> HOOKED (Unknown @ 0x892B17E8)

S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x892E0558)

S_SSDT[576] : Unknown -> HOOKED (Unknown @ 0x89B172B0)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-75A7B0 ATA Device +++++

--- User ---

[MBR] 47a7efb85490317b03902aeb92efe73c

[bSP] 7b8e47267250a06aa39260c2dc400db6 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 600184 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

i didnt mean to post it in PM i didnt know it was PM i was just replying to where my message was transfered.....i would like to remind oyu again i am new to this. but thank you for help in advance

Share this post


Link to post
Share on other sites

OK, run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest:

[sUSP PATH] 82960840.job @ : C:\Users\Soham\AppData\Local\Temp\\setup3675677888.exe -> FOUND

[sUSP PATH] win402b40.job @ : C:\Users\Soham\AppData\Local\Temp\win402b40.dat -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

Now click Delete on the right hand column under Options

Repeat the process for these under Files:

Click on the > put a check next to these and uncheck the rest

Click on Delete

¤¤¤ Particular Files / Folders: ¤¤¤

[Tr.Karagany][FOLDER] plugs : c:\users\soham\appdata\roaming\adobe\plugs --> FOUND

[Tr.Karagany][FOLDER] shed : c:\users\soham\appdata\roaming\adobe\shed --> FOUND

Repeat the process for this under Proxy:

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:52848) -> FOUND

----------

Then.......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

I tried deleting proxy and it says not removed use proxyfix

You have to click on the "Fix Proxy" button, sorry for the confusion.

MrC

Share this post


Link to post
Share on other sites

Ok I tried combo fix and guess what

My computer kept on going on a cycle of restarts

Like it kept on restarting by itself

I am sorry mr Charlie but your advice may not have been for the better

I am not sure what to do

Coz after all that mess I just shut it down

And the started it few hours later

And it said restart issues and needs to restore from an earlier point when it worked

And I had to click yes

I am so lost also theses advices are posted once everyday now I know they are helping for free but if I am in the middle of something new and something goes wrong who do I ask?

Me Charlie replies to stuff once everyday

So I need to wait for an answer untill the next day and virus problem still persistent

I need some better help please....

Share this post


Link to post
Share on other sites
I need some better help please....

You don't want my help anymore??

MrC

Share this post


Link to post
Share on other sites

I am not saying I don't need your help any more

I need better help

I mean if I am in the middle of a new system scan with a powerful program like combo fix

And if something goes wrong coz computers and virus are not in my control how do I get in touch with you or someone

If you are free right now we can do it now

I need some more immediate help

Share this post


Link to post
Share on other sites
I am so lost also theses advices are posted once everyday now I know they are helping for free but if I am in the middle of something new and something goes wrong who do I ask?

Me Charlie replies to stuff once everyday

So I need to wait for an answer untill the next day and virus problem still persistent

I need some better help please....

You have to loose the attitude, I'm here all day long....from about 6:30 in the morning to about 11PM.

Me Charlie replies to stuff once everyday

I answer all post immediately when I can, I do have to sleep, eat, shower, etc.

I've been here all day long so far and answering posts continuously.

We may be in different parts of the world also!!

-------------------------------------------

How's is the computer now, does it boot up and Windows start??

MrC

Share this post


Link to post
Share on other sites

I have absolutely no attitude

It's is sometimes hard to show your tone through messaging on a forum

If you read my earlier reply I even mentioned that I know you are doing me a favor but

Ok I can't keep arguing over same topic coz I am not sure there is a better way of explaining

Computer started when windows did system repair

I had dell dock and it's not working

My hp printer stuff isn't working

It still says that my recycle bin is corrupted and norton still keeps showing Trojan warnings

Do you have a new idea or better plan coz combo fix didn't do anything good instead ruined few good things

Share this post


Link to post
Share on other sites

Is it possible to chat with you somewhere?

Like a live chat kind of a situation so that we can do something fast enough

Share this post


Link to post
Share on other sites

No, we work on the forum, MrC

Share this post


Link to post
Share on other sites

ComboFix creates a system restore point just before it runs, I suggest you use it to restore the computer to the way it was before you ran ComboFix.

You can even restore it before that, you have many restore point created.

MrC

Share this post


Link to post
Share on other sites

Read my post before yours, MrC

Share this post


Link to post
Share on other sites

I don't know how to restore from the combo fix restore

Do you know how?

Share this post


Link to post
Share on other sites

Sorry but your messages are being received with a lag hence the repitative questions

Share this post


Link to post
Share on other sites

If you're not sure how to use system restore, please try to get someone to help you, MrC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.