Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG and Rogue Killer gave me warnings, Am I infected?


  • Please log in to reply
8 replies to this topic

#1 Neozoe

Neozoe

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 20 November 2015 - 08:30 AM

Hello,

 

I want to thank you in advance for taking the time to read my post and help me. I'm new to this forum so if I posted this in the wrong area please let me know; I want to try to abide by the website rules.

 

 

I'm not sure if I'm infected or not but I figured it would be best to ask on here. I'm running a windows 7 PC and I haven't reformatted it since I bought it almost 2 years ago. I'm usually really safe with my PC and I've had AVG Free on it since the day I bought it.

 

Last week my AVG Free Resident shield blocked 5 instances of a Trojan it called MSIL9.AFQI, I checked the AVG virus vault but there was nothing in there. I immediately ran a full computer scan with avg and found nothing. I then downloaded Malwarebytes and ran a full scan and it found nothing. I finally downloaded Rogue Killer and ran a scan, RogueKiller found a few PUM.DNS instances and many instances of a yellow listed: "  [IAT:Addr(Hook.IEAT)] (explorer.exe) kernel32!TerminateProcess : Unknown @ 0x80000000 " I believe there was over 100 of these.

 

I installed a free premium trail version of Emsisoft Anti-malware and un-installed my avg since I lost confidence in it.

 

I've ran Malwarebytes, Emsisoft anti-malware and Rogue killer every day since avg found the infection and I still keep seeing the same results from RogueKiller. Malwarebytes and Emsisoft scans always come out clean.

 

Was the MSIL9.AFQI a false positive? And are the Rogue killer results false positives as well?

 

Thank you so much in advance for any help.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:11 PM

Posted 20 November 2015 - 08:53 AM

Suggest you start a new topic in the Malware Removal Forum.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Neozoe

Neozoe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 20 November 2015 - 08:59 AM

Hello buddy215, 

Thank you for your reply.

I'll look through the instructions and post in the Malware Removal Forum once I do.

 

Much appreciated.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 PM

Posted 21 November 2015 - 06:21 AM

FYI: Both Legitimate programs and malware can exhibit rootkit-like behavior or hook into the OS. See the explanations by the developer and his staff in these topics.Userland rootkits: Part 1, IAT hooks

If you land here from RogueKiller......This is because RogueKiller has detected an IAT/EAT hook. Don’t panic. Most of the time, they are made by legit modules (even some system DLLs) to add filtering features, or by antiviruses. However, most of these DLLs are whitelisted in RogueKiller, so either the DLL is not known (please verify by typing it on Google, or the module is a real malware (if you didn’t find anything on it on Google, or worst, you found bad things), or because the module has not been identified (shellcoded outside of any module), the module is named “Unknown”. In this last case, If nothing else has been found by RogueKiller, just skip it. Another thing to know is it’s USELESS in most of the cases to remove a module, because if you’re able to do it, it will be back at reboot, or at process restart. You have to target the persistence item instead (registry key, patched file, …). In RogueKiller, IAT hooks are just listed for diagnostic and will not be restored.


KernelMode rootkits: Part 2, IRP hooks

If you land here from RogueKiller...
...This is because RogueKiller has detected an IRP hook. Don’t panic. Most of the time, they are made by legit drivers to filter IRPs. Though this is not a best practice, still some drivers use that method.


Usually when a computer is infected with malware there most likely will be other obvious indications (signs of infection) that something is wrong.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 PM

Posted 21 November 2015 - 06:41 AM

I made an edit to my previous post to include examples at the top so be sure you reread it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Neozoe

Neozoe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 21 November 2015 - 11:59 PM

Thank you for your response quietman7,

 

I've read through the links you've provided and the roguekiller forum posts. According to the rogue killer forum posts most of the time hooks similar to the ones I found are false positives. I've been trying to get on their forum to post my rogue killer report but I haven't been given access yet. If they are indeed false positives that would make my life a lot easier since I'm not showing any other signs of infection and every other scan I've ran always comes back clean.

 

The one thing that I'm still confused about is why my AVG resident shield blocked 5 instances of MSIL9.AFQI trojan and then I could not find it in the virus vault; it has also never appeared on any of the scanning tools I've ran. 

 

Searching the internet gives very little information about MSIL9.AFQI as well. It seems that there's just 1-2 more people who posted on the AVG forums but they never received any clear information as to what it is. The only other internet results are from several of the other "how to remove" sites that I've been warned not to trust.

 

I'll wait to see if I gain access to the rogue killer forum and post my log there and see what they say. If I can't figure anything out that way I'll make a post on the malware removal section of this forum; unless you feel I should just go ahead and make a post on the malware removal section now.

 

Thanks again.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 PM

Posted 22 November 2015 - 06:57 AM

You are correct. You have to be careful when conducting searches on the Internet as there is a lot of useless and misinformation out there
especially in regards to malware removal assistance (and removal guides). Scammers take advantage of uninformed folks and entice them into downloading junk software using gimmicks, false claims and other deceptive advertising. When performing search queries, always check multiple sources to confirm the information provided is safe, consistent and from trustworthy web sites.

Without knowing the specific file(s) name associated with possible malware threat(s) and where it was located (full file path) on the system, it's difficult to determine exactly what it was or what the scanning engine detected. Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the actually file(s) involved and where they are located (full file path).

AVG does not provide much information about MSIL9.AFQI. In this AVG topic an AVG forum helper advises they sent an email to the OP in regards to fixing the issue instead of posting an answer in public. Apparently that email was an offer of email support or remote assistance. When choosing an anti-virus program, firewall or any other security software, availability of quality/prompt technical support from the vendor is always a consideration. Lack of adequate Customer Support in addressing issues related to the use of a vendor's product is one reason folks look for other alternatives and one of several reasons I no longer recommend AVG.

As buddy215 suggested we can do a comprehensive check of your system if you follow his instructions for posting in the Virus, Trojan, Spyware, and Malware Removal Logs forum but you will most likely have to wait a few days for a reply. The Rogue Killer forum is the best place to receive an answer in regards to the scan results but many forums require you have to register and logon in first.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Neozoe

Neozoe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 23 November 2015 - 07:11 AM

Ah I understand, thank you quietman7,

 

Unfortunately when I uninstalled AVG I believe the resident shield logs were deleted (I tried re-installing it but all the logs were gone from the program).

However, I had written down the following about the avg resident shield results:

 

The virus name in all 5 instances was MSIL9.AFQI and they were all located in    C:\user\admin\appdata\local\temp  

 
The process they belonged to was sdiagnhost.exe
 
Unfortunately I didn't write down the file names, I remember that they were randomly named ".dll " files.
 
For now I'm going to wait to be approved on the roguekiller forum and see what they say about the hooks it found. If things take too long I'll move over to the Malware removal forum as buddy215 suggested.
 
I appreciate the help so far, thank you. If I find anything out I'll post on here.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 PM

Posted 23 November 2015 - 08:59 AM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users