Adlice forum
Software feedback => RogueKiller => Topic started by: phshbone on September 11, 2014, 08:03:28 PM
-
Hi
I recently was asked to fix a relative's pc - uncle died and we need to get info. I believe from the research that it is a fake HDD problem. I get action center warnings that my antivirus needs ro be turned on, firewall off, etc. I try to turn firewall on and get error messages that it wont let me. I can't do windows updates, etc.
I have run Rkill, TDSS killer, Malwarebytes, Superantispyware, Spybot S&D, ADWCleaner, JRT and finally Rogue Killer.
I get through the prescan of RK and it tells me I have ZeroAccess attached to Superantispyware.
I also got a Serial.exe I believe that came up.
I run the scan part of RK and when it gets to the win32 driver scan it freezes and when i run my mouse over the scan, delete, report buttons they light up and the scan appears to be over. I get a couple of registry items that initially allows me to check them. If I check them before the freeze it allows the delete but then I see that they were "replaced". If I dont check the items before RK freezes, I am not able to check them nor delete.
I do get this which I have tried.
http://www.adlice.com/zeroaccess-removal-with-roguekiller/ (http://www.adlice.com/zeroaccess-removal-with-roguekiller/)
It seemed to work...got a lot of red results, deleted and they were back on the next reboot.
Any suggestions?
-
Hello
Could you please give the text report?
(Sorry for you uncle)
-
Thanks...i appreciate that.
Here is the log - before i hit the delete button and chose what to remove:
RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : wcm [Admin rights]
Mode : Scan -- Date : 09/12/2014 10:38:25
¤¤¤ Bad processes : 3 ¤¤¤
[ZeroAccess] SUPERANTISPYWARE.EXE -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[7] -> KILLED [TermProc]
[Suspicious.Path] FirefoxPortable.exe -- C:\Users\wcm\Desktop\ff14 backup\FirefoxPortable\FirefoxPortable.exe[7] -> KILLED [TermThr]
[Suspicious.Path] firefox.exe -- C:\Users\wcm\Desktop\ff14 backup\FirefoxPortable\App\firefox\firefox.exe[7] -> KILLED [TermThr]
¤¤¤ Registry Entries : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2686632235-3909572256-2187879314-1001\Software\Microsoft\Internet Explorer\Main | Start Page : -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2686632235-3909572256-2187879314-1001\Software\Microsoft\Internet Explorer\Main | Start Page : -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 2 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\Drivers\PxHlpa64.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\drivers\USBPORT.SYS)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AADS-00S9B0 ATA Device +++++
--- User ---
[MBR] f29d794f749304545b5cc015d96d24ed
[BSP] 38fff1c52b15ca93b8e93dfa799c11f9 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: ST3250318AS ATA Device +++++
--- User ---
[MBR] f3d722eff050e18a42f983240efeb788
[BSP] 643b57b4d47c703132dfef6575dc728c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_DEL_09062014_142125.log - RKreport_DEL_09062014_143646.log - RKreport_DEL_09062014_152201.log - RKreport_DEL_09072014_172249.log
RKreport_DEL_09072014_175809.log - RKreport_DEL_09082014_151208.log - RKreport_DEL_09082014_175926.log - RKreport_DEL_09082014_183324.log
RKreport_DEL_09082014_190010.log - RKreport_DEL_09092014_165031.log - RKreport_DEL_09092014_170856.log - RKreport_DEL_09092014_174445.log
RKreport_DEL_09092014_184758.log - RKreport_DEL_09112014_102646.log - RKreport_DEL_09112014_104826.log - RKreport_SCN_09062014_141732.log
RKreport_SCN_09062014_143408.log - RKreport_SCN_09062014_150903.log - RKreport_SCN_09072014_152418.log - RKreport_SCN_09072014_171527.log
RKreport_SCN_09072014_175619.log - RKreport_SCN_09082014_135233.log - RKreport_SCN_09082014_175244.log - RKreport_SCN_09082014_180908.log
RKreport_SCN_09082014_185915.log - RKreport_SCN_09092014_134645.log - RKreport_SCN_09092014_163616.log - RKreport_SCN_09092014_165057.log
RKreport_SCN_09092014_170746.log - RKreport_SCN_09092014_174330.log - RKreport_SCN_09092014_180426.log - RKreport_SCN_09112014_102627.log
RKreport_SCN_09112014_104201.log
NOTE:
*** The two registry entries that start with PUM - When I select and delete they come back immediately as 'replaced'.
-
Ok, nothing to worry about.
I'll see for SUPERANTISPYWARE.
-
Guess No answer to the issue, then.
Thx for your time.
-
I couldn't reproduce.
Which version of SUPERANTISPYWARE do you use? (portable/pro/free)