Possible Malware?

Discussion in 'Malware Help (A Specialist Will Reply)' started by EcoGeek, Jul 5, 2013.

  1. EcoGeek

    EcoGeek Private E-2

    I suspected possible malware and ran reports. Rogue Killer found something not sure what it means? I was suspicious of some activity. I ran it because My view folders options would have show hidden system files, hide protected system files, extensions, empty drives uncheck. I know that I checked them. So I don't know understand when RK found HJ policies etc. but none of the other prgrams found anything.

    Thanks
     

    Attached Files:

    EcoGeek, Jul 5, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nothing! There were no problems reported.

    All of your logs are clean. You are not having malware problems.
     
    chaslang, Jul 5, 2013
    #2
  3. EcoGeek

    EcoGeek Private E-2

    I wonder than why after running RK I got a flashing Red Triangle stating to click on certain tabs that had the Red Triangle flashing when I hover over certain tabs it scanned because of malware found?

    HJ registry
    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)

    Then it appeared over Driver tab are hooked
    ¤¤ Driver : [LOADED] ¤¤¤
    [Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x8303C9C6 -> HOOKED (Unknown @ 0x8F06874E)
    [Address] SSDT[155] : NtLoadDriver @ 0x83000C32 -> HOOKED (Unknown @ 0x8F068753)
    [Address] SSDT[194] : NtOpenSection @ 0x830A49EB -> HOOKED (Unknown @ 0x8F068749)
    [Address] SSDT[350] : NtSetSystemInformation @ 0x8308937A -> HOOKED (Unknown @ 0x8F068758)
    [Address] SSDT[370] : NtTerminateProcess @ 0x83095D86 -> HOOKED (Unknown @ 0x8F068717)

    then again on hosts stating malicious hosts
    Infection : Mal.Hosts ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts

    127.0.0.1 www.download-winmx-free.com --> Potentially malicious!
    127.0.0.1 download-winmx-free.com --> Potentially malicious!
    127.0.0.1 www.facebook.com.img335.tk --> Potentially malicious!
    127.0.0.1 free-winmx-downloads.com --> Potentially malicious!
    127.0.0.1 www.free-winmx-downloads.com --> Potentially malicious!
    127.0.0.1 www.google.dospop.com --> Potentially malicious!
    127.0.0.1 www.mp3winmx.com --> Potentially malicious!
    127.0.0.1 mp3winmx.com --> Potentially malicious!
    127.0.0.1 winmx.click-new-download.com --> Potentially malicious!
    127.0.0.1 www.winmx.click-new-download.com --> Potentially malicious!
    127.0.0.1 winmx-d0wnload.com --> Potentially malicious!
    127.0.0.1 www.winmx-d0wnload.com --> Potentially malicious!
    127.0.0.1 winmxfrance.com --> Potentially malicious!
    127.0.0.1 www.winmxfrance.com --> Potentially malicious!
    127.0.0.1 winmx-freebie.com --> Potentially malicious!
    127.0.0.1 www.winmx-freebie.com --> Potentially malicious!
    127.0.0.1 winmx-music-download.com --> Potentially malicious!
    127.0.0.1 www.winmx-music-download.com --> Potentially malicious!
    127.0.0.1 www.winmx-usa.com --> Potentially malicious!
    127.0.0.1 winmx-usa.com --> Potentially malicious!

    I don't know much about RK. So, are all these warnings, all false positives?

    Thanks
     
    EcoGeek, Jul 6, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are not malware. They are changes you made and you should know this. You modified your hosts file to block those URLs by looping them back to your localPC address which is 127.0.0.1. You probably did this with Spybot. And the other items are also just modified from defaults. For example LUA is set to 0 to disable User Account Control ( UAC ) which is what we requested in our cleaning procedure. Since you are not infected, complete the below final instruction which will set UAC back up to normal. Also the SSDT item is due to having installed some disk emulation software or some other software like possibly Peerblock.



    Since you are not having malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    Last edited: Jul 6, 2013
    chaslang, Jul 6, 2013
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds