Adlice forum

Software feedback => RogueKiller => Topic started by: Tenrai on October 05, 2014, 11:59:01 PM

Title: Unloaded Processes?
Post by: Tenrai on October 05, 2014, 11:59:01 PM

Recently got infected and have tried everything Except asking for help on the forums, Finally Said "Screw it"
Scanned a couple of times, this is the only Issue that's coming up,
Any Advice?

RogueKiller V9.2.13.0 (x64) [Sep 25 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Max [Admin rights]
Mode : Remove -- Date : 10/05/2014  22:27:48

¤¤¤ Bad processes : 2 ¤¤¤
[Suspicious.Path] explorer.exe -- C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll[-] -> UNLOADED
[Suspicious.Path] explorer.exe -- C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll[-] -> UNLOADED

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++
--- User ---
[MBR] cf96cc57d385a8c7b28658aae6cf2ce2
[BSP] 90240555d77ee0661de9f544bcb1cdb7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_09162014_130226.log - RKreport_DEL_09182014_212915.log - RKreport_DEL_09182014_220913.log - RKreport_DEL_10012014_003900.log
RKreport_DEL_10022014_184724.log - RKreport_DEL_10022014_191602.log - RKreport_DEL_10022014_192740.log - RKreport_SCN_09162014_130124.log
RKreport_SCN_09182014_212432.log - RKreport_SCN_09182014_213745.log - RKreport_SCN_09302014_233052.log - RKreport_SCN_10022014_184613.log
RKreport_SCN_10022014_185331.log - RKreport_SCN_10022014_192533.log - RKreport_SCN_10052014_221739.log - RKreport_DEL_10052014_221930.log
RKreport_SCN_10052014_222400.log

Title: Re: Unloaded Processes?
Post by: Tigzy on October 06, 2014, 08:16:05 AM

hello
Could you scan the DLLs on Virus Total to see if they are malware?

Title: Re: Unloaded Processes?
Post by: Tenrai on October 06, 2014, 08:26:58 AM

Unfortunately I can Only Scan 1 of them, It's saying the other is currently In use, and I have no idea what is using it or how to close it.
Managed to fix it.

This is the Results https://www.virustotal.com/ro/file/f7ec0cb290c7e93557ad622869bd2d04ab4d2ffdcddda47d3a057256168e90b6/analysis/1412576611/ (https://www.virustotal.com/ro/file/f7ec0cb290c7e93557ad622869bd2d04ab4d2ffdcddda47d3a057256168e90b6/analysis/1412576611/)
https://www.virustotal.com/ro/file/04e550b4b18c96f8e3bbbd9bb9517cd340e8248dac360f30cf5325ba5dd352c7/analysis/1412577681/ (https://www.virustotal.com/ro/file/04e550b4b18c96f8e3bbbd9bb9517cd340e8248dac360f30cf5325ba5dd352c7/analysis/1412577681/)

What Steps should I Do now?
Thanks for Helping

Title: Re: Unloaded Processes?
Post by: Tigzy on October 06, 2014, 09:02:45 AM

Sounds malware to me.
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Sathurbot#tab=2

Only a few AVs are detecting them, they must be injected somewhere.
Can you dig into regedit.exe and search for IconsCacheHelper.dll ? We need to find the entrypoint of those DLLs

You can also generate a log with OTL: http://www.bleepingcomputer.com/download/otl/

Title: Re: Unloaded Processes?
Post by: Tenrai on October 06, 2014, 09:29:27 AM

Getting No results on the Registry, Tried the other File name got a Result if that's anything
Currently Scanning with OTL. I'll paste it when I get back from work.

Title: Re: Unloaded Processes?
Post by: Tigzy on October 06, 2014, 09:33:33 AM

I bet that it's in ShellIconOverlayIdentifiers registry key :)
RogueKiller will be able to handle those keys soon...

Title: Re: Unloaded Processes?
Post by: bryanm@iafrica.com on October 22, 2014, 05:54:45 PM

c:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll 3149312 bytes is definitely a virus. It makes new Trojan Horses all the time even when virus programs delete them. AVG sent me software to analyse my computer picked up the file and asked me to send it to them They came back within a few days saying it was a new virus and have incorporated the cure in their latest update (22/10/2014). I ran it the file was deleted on restart and my problems are gone. Well done AVG!! It can't be easily deleted even in safe mode you have to do it in Safe Mode DOS start up if you want to do it manually or use 3rd party software that deletes a file in use but it can safely be deleted.
Bryan