Jump to content

I think my computer is infected, Possible rootkit?! Please help..


Recommended Posts

Hello

Every now and then when browsing the internet Malwarebytes will pop up saying "Blocked potentially malicious IP address". It's not always the same IP address it varies. I am not running Skype or any p2p programs when this happens. Also a few days ago my anti virus popped up saying something along the lines of "phew that was close, Avast just blocked you from a trojan". Then the day after It popped up saying trojan detected by the name of win32 evo gen [susp]. I then ran avasts boot scan which was recommended, but I wasn't satisfied it had cleaned my computer. I then went to run Malwarebytes Anti Rootkit. Upon opening I was presented with a window saying "registry value appinit_dlls has been found" I clicked NO and began the scan. The program didn't crash and it finished the scan with no results. I still have suspicions that my computer is infected, can someone please help me step by step to clean my computer.

 

Thanks in advance.

Link to post
Share on other sites

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

I couldn't run DDS, I tried both links. Saved both of them to my desktop and it says DDS is not mean't to run in compatibility mode. My operating system is Windows 8.1, maybe it isn't compatible with this. 

 

 

Here are my logs for RogueKiller :

 

 

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : stupot03 [Admin rights]
Mode : Scan -- Date : 12/27/2013 18:07:50
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH] DellSystemDetect.exe -- C:\Users\stupot0121\AppData\Local\Apps\2.0\93YR31NT.Y1A\0NYEPXWP.OOZ\dell..tion_0f612f649c4a10af_0005.0004_3ddfe37344028d2c\DellSystemDetect.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[sCREENSVR][sUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Users\STUPOT~1\Desktop\dds.scr [-]) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1 localhost
74.208.10.249 gs.apple.com
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10EZEX-75ZF5A0 +++++
--- User ---
[MBR] 79d8355d98165e8638fd47e12f2635e6
[bSP] b996b23d222520b939e9fcd836a9f134 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_12272013_180750.txt >>
Link to post
Share on other sites

OK, do this instead:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

It looks OK and by looking at the logs...you've run all the correct programs.
IP blocks doesn't always mean you're infected.

Some info for you:
 

The Website/IP Blocking is a good feature of Malwarebytes, but when it does its job....people think they're infected. Sometimes this is true, but we checked the system and I don't see any malware on the system.

My protection logs have similar notifications.
I have my notifications (only) turned off, that setting is under the "Protection Tab" in Malwarebytes.

If you would like to contact Malwarebytes about the problem, here's your options:
http://forums.malwarebytes.org/index.php?showtopic=119858

Here's some more information on IP Blocking by Malwarebytes:

IP blocks can indicate a number of things:

  • They could indicate that MBAM is doing its job of blocking bad content on websites.
  • In some cases the blocks are a false positive.
  • However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the FAQ - Section G (and in the Helpdesk topics HERE and HERE).
They include instructions on how to set MBAM to ignore a particular IP, if you wish to do so.
They also contain instructions on how to determine what process might be trying to make the connections.
You may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this sticky topic before starting a new topic in the False Positives forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with cleaning process Available Assistance For Possibly Infected Computers.

Some more reading:
http://forums.malwarebytes.org//index.php?showtopic=21076&st=0#entry107310

 

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.