Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.something has Malwarebytes beta rootkit beat. What next?


  • Please log in to reply
11 replies to this topic

#1 SuperLost

SuperLost

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 14 March 2014 - 07:43 PM

hi Guys,

 

So after noticing my browswer was getting a lot of adds, I downloaded Malwarebytes. I found malware, but wasn't able to remove it.
 

Then I tried the beta root kit remover, and even the 'fixdamage.exe', but everytime I reboot the scanner keeps finding the same stuff.
 

It's 3 variations of an Adware.. I think it's a rootkit?
 

I'm just wondering if I should download an offline scanner or something (like a live disc), or if anyone has any tips?
 

Thanks so much!



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:38 PM

Posted 14 March 2014 - 07:50 PM

Hello SuperLost.. Do you still have the logs to post?
What is your Operating System? 
Which  browser do you use?
 
Please run these for now.
 
Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
Running GMER on 32 and 64 bit Systems -------------------- Please download GMER from one of the following locations and save it to your desktop:   Main Mirror which will download a randomly named file Zipped Mirror - Unzip the file to its own folder such as C:\gmer Disconnect from the Internet and close all running programs Temporarily disable any real-time active protection It is very important you do not use your computer while GMER is running Double-click on the randomly named GMER gmericon_zps951fd5aa.jpg icon GMER will open to the Rootkit/Malware tab and perform an automatic quick scan If you receive a warning about rootkit activity and are asked to fully scan your system click NO Please check in the Quick scan box Please uncheck the following: IAT/EAT Show All <<< Important GMER2new_zpsdd936679.jpg Click Scan If you see a rootkit warning window click OK When the scan is finished, Save the results to your desktop as gmer.log Click Copy then paste the results in your reply Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled Note: If you encounter any problems, try running GMER in Safe Mode If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SuperLost

SuperLost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 14 March 2014 - 08:27 PM

boopme,

 

thanks so much for the quick reply.

Rkill terminated one process.
I disabled the firewall, unplugged my connection, and ran GMER.

I think I did as you asked, but it found nothing. I also didn't see any way to save a log. Am I missing something?


 



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:38 PM

Posted 14 March 2014 - 08:51 PM

Lets do tis next

Download RogueKiller from one of the following links and save it to your desktop:
  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Copy and paste the report that opens into your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan
You're welcome/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:38 PM

Posted 14 March 2014 - 09:21 PM

Please post the complete results of your Malwarebytes scan for boopme to review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-yyyy-mm-dd
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log will automatically open in Notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 SuperLost

SuperLost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 14 March 2014 - 11:23 PM

thanks for the help again!

Here is the Rogue Killer scan: 

It did seem to find some things, but I didn't fix / delete anything..
 

Also, I haven't rebooted since the rkill originally killed one process.

 

        

(as for the malwarebytes, do you want me to try and find that as Quietman has suggested?)

 

RogueKiller V8.8.11 [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : 3d [Admin rights]
Mode : Scan -- Date : 03/15/2014 00:18:54
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] mcyrsjdi.exe -- C:\Users\3d\AppData\Local\Temp\eo5l5oam.4r0\mcyrsjdi.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] SMW_UpdateTask_Time_323531373939393638332d3437415a556c2a3223346c41 : wscript.exe - //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 [x][-][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1                   activate.adobe.com
127.0.0.1                   practivate.adobe.com
127.0.0.1                   lmlicenses.wip4.adobe.com
127.0.0.1                   lm.licenses.adobe.com
127.0.0.1                   na1r.services.adobe.com
127.0.0.1                   hlrcv.stage.adobe.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST31000524AS ATA Device +++++
--- User ---
[MBR] 2420172947cbf71663da5d2ba7aac0f9
[BSP] e890ccbb959d7de92213f1efc6ca8eea : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST380819AS ATA Device +++++
--- User ---
[MBR] 3d3b68e27aad4b6d8ceb1e39a22223ac
[BSP] 9192aaa92bc9fe3ed8d071b0cb685d9f : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76191 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_03152014_001854.txt >>






 



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:38 PM

Posted 15 March 2014 - 06:57 AM

as for the malwarebytes, do you want me to try and find that as Quietman has suggested?


Yes. In Post #2 boopme already asked if you still had the logs to post. If the scan keeps finding the same items, he needs to see what is being detected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 SuperLost

SuperLost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 16 March 2014 - 04:22 PM

Quietman7,

 

thanks for the response.

I just tried loading malwarebytes, but there was no log button as he mentioned.  It was the antirootkit beta I was using, not the full malwarebytes app.

What would be a good next step?

I've now rebooted the comp.

Should I run rkill? Rogue Killer?  Malwarebytes? Malwarebytes Rootkit beta?

 

Sorry If I haven't followed directions clearly enough.

 

SL



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:38 PM

Posted 16 March 2014 - 04:34 PM

Then we are confused. In your first post you said you the following.
[quote]...downloaded Malwarebytes. I found malware, but wasn't able to remove it. Then I tried the beta root kit remover,[quote]
That statement indicates you download Malwarebytes Anti-Malware, performed a scan and after finding but not able to remove malware, you used Malwarebytes Anti-Rootkit.

You can manually access all logs.

Malwarebytes Anti-Malware logs are automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

Malwarebytes Anti-Rootkit creates two log files to save all information about a malware scan and the hardware used. The malware scan log (mbar-log-YYYY-MM-DD) is created in the current directory in a format similar to that used by Malwarebytes Anti-Malware. Scan logs are created as a separate file for each scan performed. The scan log is the one which will show what infections were detected and removed.

Again, if the scan keeps finding the same items, boopme needs to see what is being detected. So whichever log shows those detections is what you need to copy and paste here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 SuperLost

SuperLost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 16 March 2014 - 04:49 PM

Hi Guys,

 

I ran the app (not the rootkit beta) and included the scan log here:    This scan happened after booting, and not running any other app aside from my internet browser.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.16.04

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
3d :: 3D-PC [administrator]

3/16/2014 5:23:40 PM
MBAM-log-2014-03-16 (17-47-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221406
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Detected: 1
C:\Users\3d\AppData\Local\Temp\m2nggnjb.ahn\mcyrsjdi.exe (Adware.Agent) -> 1596 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\3d\AppData\Local\Temp\m2nggnjb.ahn\mcyrsjdi.exe (Adware.Agent) -> No action taken.
C:\Windows\System32\rp.dll (Adware.Downloader) -> No action taken.
C:\Users\3d\AppData\Local\Temp\afgytdrp_516869_setup.exe (Adware.GoOffer) -> No action taken.
C:\Users\3d\AppData\Local\Temp\afgytdrp_63441_setup.exe (Adware.GoOffer) -> No action taken.
C:\Users\3d\AppData\Local\Temp\afgytdrp_837405_setup.exe (Adware.GoOffer) -> No action taken.
C:\Users\3d\AppData\Local\Temp\afgytdrp_885250_setup.exe (Adware.GoOffer) -> No action taken.
C:\Users\3d\AppData\Local\Temp\cwmutzoi.hxa\mcyrsjdi.exe (Adware.Agent) -> No action taken.
C:\Users\3d\AppData\Local\Temp\eo5l5oam.4r0\mcyrsjdi.exe (Adware.Agent) -> No action taken.
C:\Users\3d\AppData\Local\Temp\tmkvktwe.hyt\mcyrsjdi.exe (Adware.Agent) -> No action taken.

(end)
 



#11 SuperLost

SuperLost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 16 March 2014 - 05:10 PM

Quietman,

 

sorry I didn't read your post well enough. With your help, I found the log for the rootkit scan. Here it is (this was the scan from the other day, after running rkill)

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.03.14.08

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
3d :: 3D-PC [administrator]

3/14/2014 8:09:50 PM
mbar-log-2014-03-14 (20-09-50).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 243641
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\SysWOW64\rp.dll (Adware.Downloader) -> Delete on reboot.
C:\Users\3d\AppData\Local\Temp\afgytdrp_583352_setup.exe (Adware.GoOffer) -> Delete on reboot.
C:\Users\3d\AppData\Local\Temp\bd10bzud.s3d\mcyrsjdi.exe (Adware.Agent) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:38 PM

Posted 16 March 2014 - 07:18 PM

Hello,,,
In the MBAR log .. you need to restart the computer to complete the malware removal.

In this MBAM log the results show

No action taken.

This can mean you did NOT click the Remove Selected button. If that is the case you need to re run MBAM to be sure.
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", this time click the Delete button.
  • Copy and paste the report that opens into your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users