Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - RaiZZZ19

Pages: [1] 2
1
Malware removal help / Re: OUC.EXE
« on: December 23, 2014, 04:09:56 pm »
Well if you say so.

2
Malware removal help / Re: OUC.EXE
« on: December 23, 2014, 03:50:00 pm »
I don't think it really updates as there is nothing it really do. I don't even get a prompt that I have been given an update.

3
Malware removal help / Re: OUC.EXE
« on: December 23, 2014, 02:25:51 pm »
Yes it is. And it's what I used for internet. But I don't know if my usbstick is connecting from their site. Also I'm using Smart sim.

4
Malware removal help / Re: OUC.EXE
« on: December 23, 2014, 01:00:16 pm »
But it never gets updated. anyway it will reappear again. I assumed it is a malware coz I frequently get disconnected for no reason. So do I leave it behind?

5
Malware removal help / OUC.EXE
« on: December 23, 2014, 11:25:15 am »
It says Killer proc something and is located on my Globebroadband stick like its an updater, I delete it normally but it reappears for a time. And I notice my internet connection cuts itself a number of times then I can't connect for 1 day. PLs help.

RogueKiller V10.1.0.0 [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Scan -- Date : 12/23/2014  17:46:13

Bad processes : 1
[Suspicious.Path] ouc.exe -- C:\ProgramData\Globe Tattoo Broadband\OnlineUpdate\ouc.exe[7] -> KILLED [TermProc]

Registry Entries : 1
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD (\SystemRoot\system32\drivers\afd.sys) -> FOUND

Scheduled tasks : 0

Files : 0

HOSTS File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 2 (Driver: LOADED)
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8bf542e6
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8bf542eb

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HUAWEI MMC Storage USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_DEL_09192014_033818.log
RKreport_DEL_09192014_142930.log - RKreport_DEL_09192014_184013.log - RKreport_DEL_09232014_170922.log - RKreport_DEL_09252014_213631.log
RKreport_DEL_09262014_205035.log - RKreport_DEL_09272014_072940.log - RKreport_DEL_09272014_194409.log - RKreport_DEL_09272014_203221.log
RKreport_DEL_10102014_004027.log - RKreport_DEL_10242014_223849.log - RKreport_DEL_10242014_232032.log - RKreport_DEL_10252014_224603.log
RKreport_DEL_10262014_015811.log - RKreport_DEL_10272014_222906.log - RKreport_DEL_10312014_130228.log - RKreport_DEL_11012014_161055.log
RKreport_DEL_11122014_164910.log - RKreport_DEL_11142014_004018.log - RKreport_DEL_11142014_044737.log - RKreport_DEL_11142014_122025.log
RKreport_DEL_11142014_122919.log - RKreport_DEL_11152014_161742.log - RKreport_DEL_11162014_125511.log - RKreport_DEL_11172014_125758.log
RKreport_DEL_11182014_152821.log - RKreport_DEL_11192014_115306.log - RKreport_DEL_11252014_010624.log - RKreport_DEL_11262014_123437.log
RKreport_DEL_11262014_161521.log - RKreport_DEL_12122014_151735.log - RKreport_DEL_12192014_024411.log - RKreport_DEL_12192014_035428.log
RKreport_SCN_08252014_140738.log - RKreport_SCN_08252014_142050.log - RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log
RKreport_SCN_08252014_144747.log - RKreport_SCN_08252014_145755.log - RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log
RKreport_SCN_08262014_231328.log - RKreport_SCN_08262014_232051.log - RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log
RKreport_SCN_08272014_011227.log - RKreport_SCN_08292014_192743.log - RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log
RKreport_SCN_08302014_192425.log - RKreport_SCN_08302014_195223.log - RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log
RKreport_SCN_08302014_221353.log - RKreport_SCN_08312014_024930.log - RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log
RKreport_SCN_08312014_130415.log - RKreport_SCN_08312014_150328.log - RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log
RKreport_SCN_08312014_211802.log - RKreport_SCN_09032014_000512.log - RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log
RKreport_SCN_09042014_200927.log - RKreport_SCN_09042014_201302.log - RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log
RKreport_SCN_09052014_010749.log - RKreport_SCN_09052014_025055.log - RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log
RKreport_SCN_09052014_122730.log - RKreport_SCN_09062014_102110.log - RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log
RKreport_SCN_09062014_195228.log - RKreport_SCN_09062014_205845.log - RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log
RKreport_SCN_09072014_000755.log - RKreport_SCN_09072014_001743.log - RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log
RKreport_SCN_09072014_004252.log - RKreport_SCN_09072014_005346.log - RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log
RKreport_SCN_09072014_014936.log - RKreport_SCN_09072014_020349.log - RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log
RKreport_SCN_09072014_031936.log - RKreport_SCN_09072014_033119.log - RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log
RKreport_SCN_09072014_172715.log - RKreport_SCN_09072014_173754.log - RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log
RKreport_SCN_09072014_175853.log - RKreport_SCN_09072014_180410.log - RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log
RKreport_SCN_09072014_182132.log - RKreport_SCN_09072014_182717.log - RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log
RKreport_SCN_09072014_185443.log - RKreport_SCN_09072014_201050.log - RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log
RKreport_SCN_09082014_175721.log - RKreport_SCN_09082014_181234.log - RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log
RKreport_SCN_09102014_003309.log - RKreport_SCN_09122014_184727.log - RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log
RKreport_SCN_09132014_031123.log - RKreport_SCN_09132014_033024.log - RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log
RKreport_SCN_09182014_161214.log - RKreport_SCN_09182014_162655.log - RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log
RKreport_SCN_09192014_142803.log - RKreport_SCN_09192014_150406.log - RKreport_SCN_09192014_183936.log - RKreport_SCN_09222014_183836.log
RKreport_SCN_09232014_170109.log - RKreport_SCN_09232014_171259.log - RKreport_SCN_09242014_230518.log - RKreport_SCN_09252014_213522.log
RKreport_SCN_09262014_204840.log - RKreport_SCN_09272014_072901.log - RKreport_SCN_09272014_194302.log - RKreport_SCN_09272014_203158.log
RKreport_SCN_09302014_010043.log - RKreport_SCN_10012014_205246.log - RKreport_SCN_10102014_004006.log - RKreport_SCN_10152014_054529.log
RKreport_SCN_10242014_223730.log - RKreport_SCN_10242014_224148.log - RKreport_SCN_10242014_231950.log - RKreport_SCN_10242014_233127.log
RKreport_SCN_10252014_224538.log - RKreport_SCN_10252014_230002.log - RKreport_SCN_10262014_015608.log - RKreport_SCN_10272014_222831.log
RKreport_SCN_10272014_224354.log - RKreport_SCN_10282014_125728.log - RKreport_SCN_10282014_140052.log - RKreport_SCN_10312014_125845.log
RKreport_SCN_11012014_152322.log - RKreport_SCN_11012014_160900.log - RKreport_SCN_11122014_164847.log - RKreport_SCN_11132014_112439.log
RKreport_SCN_11142014_003210.log - RKreport_SCN_11142014_044710.log - RKreport_SCN_11142014_120405.log - RKreport_SCN_11142014_121243.log
RKreport_SCN_11142014_122856.log - RKreport_SCN_11152014_161656.log - RKreport_SCN_11162014_125432.log - RKreport_SCN_11172014_125727.log
RKreport_SCN_11182014_152804.log - RKreport_SCN_11192014_114632.log - RKreport_SCN_11252014_010558.log - RKreport_SCN_11262014_123426.log
RKreport_SCN_11262014_161110.log - RKreport_SCN_12032014_025822.log - RKreport_SCN_12122014_151706.log - RKreport_SCN_12142014_173217.log
RKreport_SCN_12192014_024316.log - RKreport_SCN_12192014_035319.log - RKreport_SCN_12192014_042221.log

6
RogueKiller / Re: Can't be deleted possible malware
« on: September 23, 2014, 03:41:15 pm »
Ok. thanks for the assistance.

7
RogueKiller / Re: Can't be deleted possible malware
« on: September 23, 2014, 02:21:23 pm »
So what about my screen being like that and the sites I visit now requires a cloudfare check even if I scanned before connecting to the net. And some changes in my laptop settings like I mentioned? It feels like there's something else or my laptop have a damage. How do I check for damage?

8
RogueKiller / Re: Can't be deleted possible malware
« on: September 23, 2014, 01:01:23 pm »
Yeah that's what I did. So that not to confuse I made a new scan with Roguekiller and after that
is Gmer. Here's a pic and the report;
But may I ask, is the highlighted in orange [SSDT] a good thing or a bad thing and if it's bad
can it be removed? And from another pic there's these stains from the top screen which I
believed is caused by malware. The changes I found in my laptop are suspicious. On startup
my firewall seems to be always turned off which happened recently and my Broadband stick
is displaying wrong color indication even if the signal is strong. Also I have a game that have
a notepad file which sometimes the contents of it are erased but the file is still there resulting
to the game unable to start.





=============================================================
RogueKiller V9.2.11.0 [Sep  9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Scan -- Date : 09/23/2014  17:01:09

Bad processes : 0

Registry Entries : 0

Scheduled tasks : 0

Files : 0

HOSTS File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 8 (Driver: LOADED)
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : Unknown @ 0x8c83e11e
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8c83e128
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8c83e123
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8c83e12d
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8c83e132
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8c83e0bf
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8c83e146
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8c83e14b

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_DEL_09192014_033818.log
RKreport_DEL_09192014_142930.log - RKreport_DEL_09192014_184013.log - RKreport_SCN_08252014_140738.log - RKreport_SCN_08252014_142050.log
RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log - RKreport_SCN_08252014_144747.log - RKreport_SCN_08252014_145755.log
RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log - RKreport_SCN_08262014_231328.log - RKreport_SCN_08262014_232051.log
RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log - RKreport_SCN_08272014_011227.log - RKreport_SCN_08292014_192743.log
RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log - RKreport_SCN_08302014_192425.log - RKreport_SCN_08302014_195223.log
RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log - RKreport_SCN_08302014_221353.log - RKreport_SCN_08312014_024930.log
RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log - RKreport_SCN_08312014_130415.log - RKreport_SCN_08312014_150328.log
RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log - RKreport_SCN_08312014_211802.log - RKreport_SCN_09032014_000512.log
RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log - RKreport_SCN_09042014_200927.log - RKreport_SCN_09042014_201302.log
RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log - RKreport_SCN_09052014_010749.log - RKreport_SCN_09052014_025055.log
RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log - RKreport_SCN_09052014_122730.log - RKreport_SCN_09062014_102110.log
RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log - RKreport_SCN_09062014_195228.log - RKreport_SCN_09062014_205845.log
RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log - RKreport_SCN_09072014_000755.log - RKreport_SCN_09072014_001743.log
RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log - RKreport_SCN_09072014_004252.log - RKreport_SCN_09072014_005346.log
RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log - RKreport_SCN_09072014_014936.log - RKreport_SCN_09072014_020349.log
RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log - RKreport_SCN_09072014_031936.log - RKreport_SCN_09072014_033119.log
RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log - RKreport_SCN_09072014_172715.log - RKreport_SCN_09072014_173754.log
RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log - RKreport_SCN_09072014_175853.log - RKreport_SCN_09072014_180410.log
RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log - RKreport_SCN_09072014_182132.log - RKreport_SCN_09072014_182717.log
RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log - RKreport_SCN_09072014_185443.log - RKreport_SCN_09072014_201050.log
RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log - RKreport_SCN_09082014_175721.log - RKreport_SCN_09082014_181234.log
RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log - RKreport_SCN_09102014_003309.log - RKreport_SCN_09122014_184727.log
RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log - RKreport_SCN_09132014_031123.log - RKreport_SCN_09132014_033024.log
RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log - RKreport_SCN_09182014_161214.log - RKreport_SCN_09182014_162655.log
RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log - RKreport_SCN_09192014_142803.log - RKreport_SCN_09192014_150406.log
RKreport_SCN_09192014_183936.log - RKreport_SCN_09222014_183836.log

==================================================================

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-09-23 17:37:51
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0 232.89GB
Running: gmer.exe; Driver: C:\Users\Rai\AppData\Local\Temp\pwdiqpow.sys


---- System - GMER 2.1 ----

SSDT            8C83E11E                                                                                              ZwCreateSection
SSDT            8C83E128                                                                                              ZwRequestWaitReplyPort
SSDT            8C83E123                                                                                              ZwSetContextThread
SSDT            8C83E12D                                                                                              ZwSetSecurityObject
SSDT            8C83E132                                                                                              ZwSystemDebugControl
SSDT            8C83E0BF                                                                                              ZwTerminateProcess

---- Devices - GMER 2.1 ----

Device          \Driver\USBSTOR -> DriverStartIo \Device\0000008e                                                     BE034F26
Device          \Driver\USBSTOR \Device\0000008e                                                                      BE03EFC8
Device          \Driver\USBSTOR -> DriverStartIo \Device\0000008f                                                     BE034F26
Device          \Driver\USBSTOR \Device\0000008f                                                                      BE03EFC8

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                               Wdf01000.sys

Device          \Driver\hwdatacard \Device\QCUSB_COM10_2                                                              BE1C3A3C

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                               Wdf01000.sys

Device          \Driver\hwdatacard \Device\QCUSB_COM11_3                                                              BE1C3A3C
Device          \Driver\hwdatacard \Device\QCUSB_COM9_1                                                               BE1C3A3C
Device          \Driver\USBSTOR -> DriverStartIo \Device\00000090                                                     BE034F26
Device          \Driver\USBSTOR \Device\00000090                                                                      BE03EFC8
Device          \Driver\USBSTOR -> DriverStartIo \Device\00000091                                                     BE034F26
Device          \Driver\USBSTOR \Device\00000091                                                                      BE03EFC8

---- Registry - GMER 2.1 ----

Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622              0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                0x00 0x21 0x5B 0xCF ...

---- EOF - GMER 2.1 ----

9
RogueKiller / Re: Can't be deleted possible malware
« on: September 22, 2014, 11:41:59 am »
I'm a little confused because I can't find where it was installed. I go to that site and downloaded it. It was in zip and inside is Gmer.exe and another but no zip and named with a combination of numbers and letters. It's just double click then you start to scan. But it did say in the site that it installed somewhere and you can delete it. Maybe I'm missing something here. Anyway I'm scanning for the 2nd time so maybe I did something wrong on the 1st scan.

10
RogueKiller / Re: Can't be deleted possible malware
« on: September 22, 2014, 11:18:06 am »
I've downloaded both and both are only .exe file. So I open with 7z but all files I found are digits and sys file. It basically runs and doesnt need to install so I don't know where that tmp folder your talking about.

11
RogueKiller / Re: Can't be deleted possible malware
« on: September 22, 2014, 11:07:02 am »
I think I downloaded the .exe that doesn't need to install. and the driver file your mentioning is in that installer. I downloaded the non installer bec. it doesnt let me download the installer. So I'll try again.

12
RogueKiller / Re: Can't be deleted possible malware
« on: September 21, 2014, 10:11:41 pm »
Here's the GMER Scan:

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-09-22 04:05:42
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0 232.89GB
Running: gmer.exe; Driver: C:\Users\Rai\AppData\Local\Temp\pwdiqpow.sys


---- System - GMER 2.1 ----

SSDT            8BD31CFE                                                                                              ZwCreateSection
SSDT            8BD31D08                                                                                              ZwRequestWaitReplyPort
SSDT            8BD31D03                                                                                              ZwSetContextThread
SSDT            8BD31D0D                                                                                              ZwSetSecurityObject
SSDT            8BD31D12                                                                                              ZwSystemDebugControl
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS                                                    ZwTerminateProcess [0x8F690640]

---- Kernel code sections - GMER 2.1 ----

.text           ntkrnlpa.exe!KeSetEvent + 215                                                                         840FC860 4 Bytes  [FE, 1C, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 539                                                                         840FCB84 4 Bytes  [08, 1D, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 56D                                                                         840FCBB8 4 Bytes  [03, 1D, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 5D1                                                                         840FCC1C 4 Bytes  [0D, 1D, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 619                                                                         840FCC64 4 Bytes  [12, 1D, D3, 8B]
.text           ...                                                                                                   

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                               Wdf01000.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                               Wdf01000.sys

---- Registry - GMER 2.1 ----

Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622              0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                0x00 0x21 0x5B 0xCF ...

---- EOF - GMER 2.1 ----

13
RogueKiller / Re: Can't be deleted possible malware
« on: September 21, 2014, 12:24:43 pm »
Yes. And everytime I go to a site I'm directed to cloudfare or other security check. Ok I'll try Gmer.

14
RogueKiller / Re: Can't be deleted possible malware
« on: September 21, 2014, 12:01:22 pm »
I can't find it. Don't know if its hiding itself. And there are other temp folders (12 & 35) aside from the original temp. How do I fix these?

15
RogueKiller / Re: Can't be deleted possible malware
« on: September 19, 2014, 08:47:15 am »
Here's a 2nd scan with more detection

Code: [Select]
RogueKiller V9.2.11.0 [Sep  9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Scan -- Date : 09/19/2014  14:28:03

Bad processes : 0

Registry Entries : 1
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A773825-CD3A-43AA-B6FF-1A6A9E969E5E} | NameServer : 121.1.3.74 121.1.3.89  -> FOUND

Scheduled tasks : 0

Files : 0

HOSTS File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 23 (Driver: LOADED)
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962e8c
[SSDT:Addr(Hook.SSDT)] NtCreateThread[78] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1963010
[SSDT:Addr(Hook.SSDT)] NtMakeTemporaryObject[174] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962e02
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196312e
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8bd70b20
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196324e
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8bd70b25
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f94c
[SSDT:Addr(Hook.SSDT)] NtSetSystemTime[319] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195fb02
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8bd70b2a
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8bd70ab7
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962d74
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196102e
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196309e
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallTwoParam[334] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1961d0a
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f2f6
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f292
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195eece
[ShwSSDT:Addr(Hook.Shadow)] NtUserQueryWindow[504] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195ecce
[ShwSSDT:Addr(Hook.Shadow)] NtUserSendInput[525] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1961cb4
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8bd70b3e
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8bd70b43
[ShwSSDT:Addr(Hook.Shadow)] NtUserSwitchDesktop[582] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195e99c

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_DEL_09192014_033818.log
RKreport_SCN_08252014_140738.log - RKreport_SCN_08252014_142050.log - RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log
RKreport_SCN_08252014_144747.log - RKreport_SCN_08252014_145755.log - RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log
RKreport_SCN_08262014_231328.log - RKreport_SCN_08262014_232051.log - RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log
RKreport_SCN_08272014_011227.log - RKreport_SCN_08292014_192743.log - RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log
RKreport_SCN_08302014_192425.log - RKreport_SCN_08302014_195223.log - RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log
RKreport_SCN_08302014_221353.log - RKreport_SCN_08312014_024930.log - RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log
RKreport_SCN_08312014_130415.log - RKreport_SCN_08312014_150328.log - RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log
RKreport_SCN_08312014_211802.log - RKreport_SCN_09032014_000512.log - RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log
RKreport_SCN_09042014_200927.log - RKreport_SCN_09042014_201302.log - RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log
RKreport_SCN_09052014_010749.log - RKreport_SCN_09052014_025055.log - RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log
RKreport_SCN_09052014_122730.log - RKreport_SCN_09062014_102110.log - RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log
RKreport_SCN_09062014_195228.log - RKreport_SCN_09062014_205845.log - RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log
RKreport_SCN_09072014_000755.log - RKreport_SCN_09072014_001743.log - RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log
RKreport_SCN_09072014_004252.log - RKreport_SCN_09072014_005346.log - RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log
RKreport_SCN_09072014_014936.log - RKreport_SCN_09072014_020349.log - RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log
RKreport_SCN_09072014_031936.log - RKreport_SCN_09072014_033119.log - RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log
RKreport_SCN_09072014_172715.log - RKreport_SCN_09072014_173754.log - RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log
RKreport_SCN_09072014_175853.log - RKreport_SCN_09072014_180410.log - RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log
RKreport_SCN_09072014_182132.log - RKreport_SCN_09072014_182717.log - RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log
RKreport_SCN_09072014_185443.log - RKreport_SCN_09072014_201050.log - RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log
RKreport_SCN_09082014_175721.log - RKreport_SCN_09082014_181234.log - RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log
RKreport_SCN_09102014_003309.log - RKreport_SCN_09122014_184727.log - RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log
RKreport_SCN_09132014_031123.log - RKreport_SCN_09132014_033024.log - RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log
RKreport_SCN_09182014_161214.log - RKreport_SCN_09182014_162655.log - RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log

Pages: [1] 2