Adlice forum

Software feedback => RogueKiller => Topic started by: everville on July 22, 2014, 09:17:36 PM

Title: explorer.exe
Post by: everville on July 22, 2014, 09:17:36 PM

hey guys, running roguekiller and getting rans.gendarm although not got any web blocking.

system does occasionally lock for a few seconds repetativly, so sounds like I've got something.

however malware bytes says there's no infection?

removed the explorer and ran "scannow" which replaced the file, but this also shows as rans.gendarm

Title: Re: explorer.exe
Post by: Tigzy on July 24, 2014, 10:53:14 AM

Hello
Can you please provide the report?

Title: Re: explorer.exe
Post by: everville on July 25, 2014, 02:24:14 PM

RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : me [Admin rights]
Mode : Scan -- Date : 07/25/2014  13:14:33

¤¤¤ Bad processes : 2 ¤¤¤
[Rans.Gendarm] explorer.exe -- C:\Windows\Explorer.exe[7] -> KILLED [TermProc]
[Proc.Hidden]  --

• -> KILLED [TermThr]

¤¤¤ Registry Entries : 2 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 8 (Driver: LOADED) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CREATE[0] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_POWER[22] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_PNP[27] : Unknown @ 0x69e52c0
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\DRIVERS\Rt64win7.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD204UI ATA Device +++++
--- User ---
[MBR] 9492072906a8152001eed0513e7b6e64
[BSP] bc953a5abfb9721f2ff199a056df4e57 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic Storage Device USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_07222014_175839.log - RKreport_SCN_07212014_234311.log - RKreport_SCN_07222014_001407.log - RKreport_SCN_07222014_175825.log
RKreport_SCN_07222014_182029.log

Title: Re: explorer.exe
Post by: Tigzy on July 28, 2014, 11:36:43 AM

That's strange...
Can you please make a FULL dump of explorer with process explorer (sysinternal tool)
right click on the process -> full dump

Please zip it, and attach to the answer