Adlice forum
General Category => Malware removal help => Topic started by: BigEd1071 on February 27, 2015, 07:43:44 PM
-
New to this forum. Thank you in advance for your help. My computer running vista home premium has become unstable and continues to become unresponsive when left at idle for more than 15 or more minutes. I ran the Roguekiller and this is my report. Please let me know if this clean or not. Thanks again!
RogueKiller V10.3.0.0 [Feb 16 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Mr. Ed [Administrator]
Mode : Scan -- Date : 02/27/2015 13:13:38
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003
\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-
5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003
\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-
08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003
\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-
5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003
\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-
08002B30309D} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x880dfc10
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x880dfca8
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x87b79748
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x87d57520
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x880e0ec0
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x880dfa38
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x880e0cb8
[SSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x8878a450
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x880e0f58
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x87b79848
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x87b795d8
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x880dfae0
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x880dfb78
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x87c75338
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x87b79520
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x880df9a0
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x87dfd608
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x87b797d0
[SSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x880df870
[SSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x880df4c8
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x880e0e18
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : Unknown @ 0x880e0c10
[SSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[261] : Unknown @ 0x880e0b68
[SSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x880dfd40
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x880dff08
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x880dff80
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x880e0fd0
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x880df908
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x880dfdd8
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8819b0c0
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[335] : Unknown @ 0x880dfe70
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x87b79488
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x87b79680
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x880e0d60
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x889d49a8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x889c0228
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x889d3180
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x889d3fd0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x889c8e10
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x889d3da0
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x889c8468
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x889d3e28
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x889d3248
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x889d4fb0
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST332081 3AS SCSI Disk Device +++++
--- User ---
[MBR] 7874a3666fcbd00374f23e6e96c32625
[BSP] 309fdfd200901d3359dd1e035123a213 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 293696 MB [Windows Vista/7/8 Bootstrap | Windows
Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 601489665 | Size: 11546 MB [Windows Vista/7/8 Bootstrap |
Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
============================================
RKreport_DEL_02172015_224209.log - RKreport_DEL_02172015_224255.log - RKreport_DEL_02172015_224258.log -
RKreport_DEL_02172015_224302.log
RKreport_DEL_02172015_224315.log - RKreport_DEL_02172015_225426.log - RKreport_DEL_02172015_225435.log -
RKreport_DEL_02172015_225436.log
RKreport_DEL_02172015_225437.log - RKreport_DEL_02172015_225438.log - RKreport_DEL_02172015_225439.log -
RKreport_DEL_02172015_225440.log
RKreport_DEL_02172015_225441.log - RKreport_DEL_02172015_225442.log - RKreport_DEL_02172015_225450.log -
RKreport_DEL_02222015_002720.log
RKreport_DEL_02222015_002723.log - RKreport_DEL_02222015_002741.log - RKreport_DEL_02222015_002756.log -
RKreport_SCN_02172015_120211.log
RKreport_SCN_02172015_213052.log - RKreport_SCN_02172015_225253.log - RKreport_SCN_02222015_002313.log
-
Hi BigEd1071,
Welcome to Adlice.com Forum!
Do you use security software featuring anti-exploit technology ?
The SSDT hooks need to be investigated.
Please follow the following process as close as possible.
- Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
(http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)
- Check Loaded Modules and Detect TDLFS file system.
- If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
(http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)
- Click Start Scan and allow the scan process to run.
If threats are detected select Skip for all of them unless I instruct you otherwise.
- Click Continue
(http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)
- Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\) in your next reply.
Regards.
-
Thank You. No threats were found. Not sure about the security software featuring anti-exploit technology? Here is the contents of the Tdsskiller.
-
Hi BigEd1071,
The SSDT hooks are harmless. I seriously doubt that the problems you described are caused by malware.
To check, could you please download RogueKiller's latest version, run a new scan and post the report obtained in your next reply ?
Regards.
-
Thank You. Here is the latest report.
RogueKiller V10.5.0.0 [Mar 2 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Mr. Ed [Administrator]
Mode : Scan -- Date : 03/03/2015 19:28:47
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1119333972-2933176690-2880281189-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] HP Photo Creations Communicator.job -- C:\ProgramData\HP Photo Creations\Communicator.exe (--auto) -> Found
[Suspicious.Path] \\HP Photo Creations Communicator -- C:\ProgramData\HP Photo Creations\Communicator.exe (--auto) -> Found
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x87df79f8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x87df7a90
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x8848b288
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x87d2c428
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x87df7470
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x87df7820
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x87df7268
[SSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x88528cd0
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x87df7508
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x8848b3c8
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x87df7f80
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x87df78c8
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x87df7960
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x87d2e6d0
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x87df7ec8
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x87df7788
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x8848b4b8
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x8848b330
[SSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x87df7658
[SSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x8848b470
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x87df73c8
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : Unknown @ 0x87df71c0
[SSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[261] : Unknown @ 0x88267fc0
[SSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x87df7b28
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x87df7cf0
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x87df7d88
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x87df75a0
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x87df76f0
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x87df7bc0
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x85ce9ef8
[SSDT:Addr(Hook.SSDT)] unknown[335] : Unknown @ 0x87df7c58
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x87df7e30
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x8848b1c0
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x87df7310
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x886d51a8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x886c8bc0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x886b30c0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x87b3eed8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x886b31b8
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x886c8800
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x886c8910
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x886c8888
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x886d5a98
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x886b35e0
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST332081 3AS SCSI Disk Device +++++
--- User ---
[MBR] 7874a3666fcbd00374f23e6e96c32625
[BSP] 309fdfd200901d3359dd1e035123a213 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 293696 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 601489665 | Size: 11546 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
============================================
RKreport_DEL_02172015_224209.log - RKreport_DEL_02172015_224255.log - RKreport_DEL_02172015_224258.log - RKreport_DEL_02172015_224302.log
RKreport_DEL_02172015_224315.log - RKreport_DEL_02172015_225426.log - RKreport_DEL_02172015_225435.log - RKreport_DEL_02172015_225436.log
RKreport_DEL_02172015_225437.log - RKreport_DEL_02172015_225438.log - RKreport_DEL_02172015_225439.log - RKreport_DEL_02172015_225440.log
RKreport_DEL_02172015_225441.log - RKreport_DEL_02172015_225442.log - RKreport_DEL_02172015_225450.log - RKreport_DEL_02222015_002720.log
RKreport_DEL_02222015_002723.log - RKreport_DEL_02222015_002741.log - RKreport_DEL_02222015_002756.log - RKreport_SCN_02172015_120211.log
RKreport_SCN_02172015_213052.log - RKreport_SCN_02172015_225253.log - RKreport_SCN_02222015_002313.log - RKreport_SCN_02272015_131338.log
-
Hi BigEd1071,
This last report is clean, no trace of malwares were found.
I think the issue is related to the OS itself, you should investigate in that direction in my opinion.
If you have anymore questions, feel free to ask.
Regards.
-
Thank You for reviewing these reports. 8) 8)
-
Hi BigEd1071,
You are very welcome. :)
Regards.