Adlice forum
Software feedback => RogueKiller => Topic started by: dsdave on October 25, 2014, 04:51:05 AM
-
I am having trouble with malware. I am unable to remove it.
I am not sure what to do with my scan see log below
RogueKiller V10.0.3.0 (x64) [Oct 16 2014] by Adlice Software
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Mode : Scan -- Date : 10/24/2014 22:31:21
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 12 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-
7695ECA05670} -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
http://my.earthlink.net/ -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
http://my.earthlink.net/ -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page :
http://www.earthlink.net/partner/more/msie/button/search.html -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page :
http://www.earthlink.net/partner/more/msie/button/search.html -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-
3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-
3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-
3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-
3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 | (default) : C:\Users\Dave\AppData
\Local\Temp\sypcdjt\shoimqs\wow64.dll -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 12 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\SysWOW64\drivers\Afc.sys)
[IAT:Addr] (explorer.exe @ systemcpl.dll) NETAPI32.dll - DsRoleFreeMemory : C:\Windows\system32\dsrole.dll @ 0x7fefa701438
[IAT:Addr] (explorer.exe @ systemcpl.dll) NETAPI32.dll - DsRoleGetPrimaryDomainInformation : C:\Windows\system32\dsrole.dll @ 0x7fefa701010
[IAT:Addr] (explorer.exe @ systemcpl.dll) NETAPI32.dll - NetServerGetInfo : C:\Windows\system32\srvcli.dll @ 0x7fefcbb1968
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLOpen : C:\Windows\system32\SPPC.DLL @ 0x7feecda85c4
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetLicensingStatusInformation : C:\Windows\system32\SPPC.DLL @ 0x7feecdaaab4
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetSLIDList : C:\Windows\system32\SPPC.DLL @ 0x7feecda9c44
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetPKeyInformation : C:\Windows\system32\SPPC.DLL @ 0x7feecdaa974
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLClose : C:\Windows\system32\SPPC.DLL @ 0x7feecda86f0
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetProductSkuInformation : C:\Windows\system32\SPPC.DLL @ 0x7feecdaa8e0
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLRegisterEvent : C:\Windows\system32\SPPC.DLL @ 0x7feecdab218
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLUnregisterEvent : C:\Windows\system32\SPPC.DLL @ 0x7feecdab2d0
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EALX-759BA1 ATA Device +++++
--- User ---
[MBR] f34cea7fc3572047967e5a164204959f
[BSP] b8cb3719ab429628921f061261d02737 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15166 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31141888 | Size: 938662 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
-
What if you press "Delete"?
-
cleans up a bit: still have 7 reg errors.
mal ware still blocking attacks
next step
-
Can you please give the removal report?
-
sure: thanks
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 7 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/ -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/ -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.earthlink.net/partner/more/msie/button/search.html -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.earthlink.net/partner/more/msie/button/search.html -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 10 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\SysWOW64\drivers\Afc.sys)
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x3410550
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x34105d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x34105b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x3410530
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x34105f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x3410610
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x3410630
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x3410570
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x3410590
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EALX-759BA1 ATA Device +++++
--- User ---
[MBR] f34cea7fc3572047967e5a164204959f
[BSP] b8cb3719ab429628921f061261d02737 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15166 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31141888 | Size: 938662 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_DEL_10242014_230833.log - RKreport_DEL_10242014_231214.log - RKreport_SCN_10242014_223121.log - RKreport_SCN_10242014_230612.log
RKreport_SCN_10252014_091725.log - RKreport_DEL_10252014_092559.log - RKreport_DEL_10252014_092656.log - RKreport_SCN_10252014_093027.log
-
I don't see where the BHO is removed :/
Is it still here after a scan?
-
not sire what bmo, but I reran report.
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : [Administrator]
Mode : Delete -- Date : 10/25/2014 14:31:22
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | 1025_1159925229422 : "C:\Users\Dave\AppData\Local\LMIR0001.tmp_r.bat" [-] -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/ -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/ -> Not selected
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 19 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\SysWOW64\drivers\Afc.sys)
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x2e10310
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x2e10390
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x2e10370
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x2e102f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x2e103b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x2e103d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x2e103f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x2e10330
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x2e10350
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x2f901d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x2f90250
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x2f90230
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x2f901b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x2f90270
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x2f90290
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x2f902b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x2f901f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x2f90210
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EALX-759BA1 ATA Device +++++
--- User ---
[MBR] f34cea7fc3572047967e5a164204959f
[BSP] b8cb3719ab429628921f061261d02737 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15166 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31141888 | Size: 938662 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_DEL_10242014_230833.log - RKreport_DEL_10242014_231214.log - RKreport_DEL_10252014_092559.log - RKreport_DEL_10252014_092656.log
RKreport_DEL_10252014_093244.log - RKreport_DEL_10252014_093827.log - RKreport_DEL_10252014_093841.log - RKreport_SCN_10242014_223121.log
RKreport_SCN_10242014_230612.log - RKreport_SCN_10252014_091725.log - RKreport_SCN_10252014_093027.log - RKreport_SCN_10252014_143037.log
-
So what's the problem? :)