Adlice forum
General Category => Malware removal help => Topic started by: 236dave on April 13, 2015, 01:17:55 PM
-
Hi,
I have a HP laptop running Windows 7 and ask for help in getting rid of Malware.
I have run Roguekiller several times, but the problem keeps returning.
I have read the article http://www.adlice.com/userland-rootkits-part-1-iat-hooks/ which I was direced to after one of the scans, but I am not a computer techie, and would like a simple laymans guide on how to get rid of this problem.
I have saved the last Roguekiller report if thats any help? (see below)
Can someone please help me?
It would be much appreciated.
Thanks
Dave
RogueKiller V10.5.9.0 [Apr 7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dave [Administrator]
Started from : C:\Users\Dave\Desktop\RogueKiller.exe
Mode : Delete -- Date : 04/13/2015 11:51:23
¤¤¤ Processes : 2 ¤¤¤
[Proc.Injected] iexplore.exe(8464) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Suspicious.Path] (SVC) RapportCerberus_43926 -- \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys[7] -> ERROR [41c]
¤¤¤ Registry : 2 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS547575A9E384 +++++
--- User ---
[MBR] 9c50ca4918e89af5c43423daea0b5f77
[BSP] 450a4243d6e193ea8fdc87af2a3def53 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_SCN_04092015_172117.log - RKreport_DEL_04092015_172439.log - RKreport_SCN_04102015_000703.log - RKreport_DEL_04102015_002419.log
RKreport_SCN_04102015_152317.log - RKreport_DEL_04102015_153400.log - RKreport_SCN_04112015_003307.log - RKreport_DEL_04112015_003408.log
RKreport_SCN_04112015_113057.log - RKreport_DEL_04112015_113843.log - RKreport_DEL_04112015_113906.log - RKreport_SCN_04112015_121327.log
RKreport_DEL_04112015_123147.log - RKreport_SCN_04122015_085229.log - RKreport_DEL_04122015_085909.log - RKreport_SCN_04122015_092810.log
RKreport_SCN_04122015_203612.log - RKreport_SCN_04132015_002004.log - RKreport_DEL_04132015_083301.log - RKreport_SCN_04132015_091040.log
RKreport_DEL_04132015_091115.log - RKreport_SCN_04132015_115021.log
-
Hi Dave,
Welcome to Adlice.com Forum.
The report you posted was generated with the 32 bits version of RogueKiller.
Please download RogueKiller (64 bits version) (http://www.adlice.com//?smd_process_download=1&download_id=2181), redo a full scan and post the report obtained in your next reply.
Regards.
-
Hi Curson,
Before seeing your reply I found this thread http://forum.adlice.com/index.php?topic=273.0 and downloaded Processhacker, where I terminated the iexplorer.exe process tree, which was giving the background iexplorer pages. Task manager shows that they are no longer running, for now anyway.
I then saw your reply and followed the instructions.
Here is the latest report run with Roguekiller(x64):
Hope you can help.
Thanks
Dave
RogueKiller V10.5.9.0 (x64) [Apr 7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dave [Administrator]
Started from : C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1TSJTDUW\RogueKillerX64.exe
Mode : Delete -- Date : 04/13/2015 18:22:16
¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) RapportCerberus_43926 -- \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys[7] -> ERROR [41c]
¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS547575A9E384 +++++
--- User ---
[MBR] 9c50ca4918e89af5c43423daea0b5f77
[BSP] 450a4243d6e193ea8fdc87af2a3def53 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 700789 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1435625472 | Size: 14312 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 1464936448 | Size: 102 MB
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_SCN_04092015_172117.log - RKreport_DEL_04092015_172439.log - RKreport_SCN_04102015_000703.log - RKreport_DEL_04102015_002419.log
RKreport_SCN_04102015_152317.log - RKreport_DEL_04102015_153400.log - RKreport_SCN_04112015_003307.log - RKreport_DEL_04112015_003408.log
RKreport_SCN_04112015_113057.log - RKreport_DEL_04112015_113843.log - RKreport_DEL_04112015_113906.log - RKreport_SCN_04112015_121327.log
RKreport_DEL_04112015_123147.log - RKreport_SCN_04122015_085229.log - RKreport_DEL_04122015_085909.log - RKreport_SCN_04122015_092810.log
RKreport_SCN_04122015_203612.log - RKreport_SCN_04132015_002004.log - RKreport_DEL_04132015_083301.log - RKreport_SCN_04132015_091040.log
RKreport_DEL_04132015_091115.log - RKreport_SCN_04132015_115021.log - RKreport_DEL_04132015_115123.log - RKreport_SCN_04132015_181016.log
-
Hi Dave,
I believe the injection te be caused by RapportCerberus, a security program.
Could you please restart Internet Explorer and follow the following process :
- Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
- Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
- Locate the process named iexplore.exe, right click select Create Dump > Create Full Dump...
- Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
- Share the link in your next reply.
We will analyse what is really injected, and whitelist if needed.
Regards.
-
Hi Curson
Followed your instructions, and here here the link to the dump file.
https://drive.google.com/file/d/0B3HVkdtL-bK7NG1rSF9Nd1lQYlU/view?usp=sharing
Thanks
Dave
-
Hi Dave,
You dumped the process explorer.exe, not iexplorer.exe.
Could you please redo the dumping process?
Regards.
-
Hi Curson,
Sorry I'll try again.
I am now getting another iexplorer running in the background, it shows up in the Applications tab of task manager.
I have found two different instances of iexplore in procexp, so I have attched links to both, the 2nd one I renamed iexplore2:
https://drive.google.com/file/d/0B3HVkdtL-bK7WjVRTS13dFExYnM/view?usp=sharing
https://drive.google.com/file/d/0B3HVkdtL-bK7ZmZSbkljNE5fQUk/view?usp=sharing
Hope this helps.
Dave
-
Hi Curson,
Hope you get the chance to look at my previous post with the attachments.
Its now near bed time over here in the uk, but I will check in tomorrow after work.
All the best.
Dave
-
Hi Dave,
Analysing the dumps will require some time.
I will keep you updated there.
Regards.
-
Thanks Curson!
Your help is much appreciated.
Dave
-
Hi Dave,
I analysed the dumps and found nothing malicious.
The injection will be whitlisted in RogueKiller as soon as possible.
Regards.
-
Hi Curson,
Good to hear there was nothing malicious found.
Excuse my ignorance, but am I right in thinking by whitelisting the injection, it will be automatically blocked by Roguekiller?
Thanks for your efforts, I would like to purchase your premium version.
Is it now safe to make the financial transaction on my laptop.
I have been reluctant to make any financial transactions with the problem Ive had.
Could you give an estimate of when the whitelist will be introduced.
Thanks
Dave
-
Hi Dave,
Good to hear there was nothing malicious found.
Excuse my ignorance, but am I right in thinking by whitelisting the injection, it will be automatically blocked by Roguekiller?
When the injection will be whitelisted, RogueKiller won't detect it anymore.
Thanks for your efforts, I would like to purchase your premium version.
Is it now safe to make the financial transaction on my laptop.
I have been reluctant to make any financial transactions with the problem Ive had.
I am pleased to hear that our product have been helpful to you. Thanks for supporting it. :)
Could you give an estimate of when the whitelist will be introduced.
I cannot give you a date for the time being but I will not fail to inform you when it's done.
Regards
-
Hi Curson,
I'm a bit puzzled, how will whitelisting help?
I still have the original problem, where extra iexplorer pages (normally ads) are being opened up in the background, which slows up my laptop.
How do I get rid of this problem?
Thanks for helping.
Dave
-
Hi Dave,
I'm sorry I had not realized that the problem was not solved.
We will investigate this more thoroughly.
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Regards.
-
Hi Curson,
Followed your instructions, and attached the logs.
The FRST64 stalled a few times, ie it displayed (not responding), but then continued to run.
The logs had too many characters to cut and paste, so I have attached zip files.
Hope you can help.
Dave
-
Hi Dave,
Some error occured during the scan, indeed.
A quick question, are you being helped in another forum at the same time ?
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
How is the computer running ?
Regards.
-
Hi Curson,
I saved fixlist.txt to my desktop, where I have FRST64, is this what you meant by they must be in the same location?
I then opened FRST64 and ran a scan, before hitting the Fix button.
The fixlist.txt then disappeared from my desktop?
So far the problem hasn't reappeared, and Ive been using my laptop for a few hours now.
It would normally return after about 1/2hr usage.
There are still a few queries (pic attached), such as:
Internet histogram in tray shows a yellow dot, instead of white reception strength bars (its been this way for a few weeks)
Intel RST is not running.
But my laptop is running much quieter and quicker, so a big thanks to you!
btw - To answer your question, I have not been helped in another forum, its only been yourself who has helped me.
I have also attached the Fixlog.txt that you asked for.
Regards
Dave
-
Hi Dave,
I saved fixlist.txt to my desktop, where I have FRST64, is this what you meant by they must be in the same location?
I then opened FRST64 and ran a scan, before hitting the Fix button.
The fixlist.txt then disappeared from my desktop?
So far the problem hasn't reappeared, and Ive been using my laptop for a few hours now.
It would normally return after about 1/2hr usage.
It was not necessary to rerun a scan before proceeding the fix (that's why the fixlist.txt was deleted).
Anyway, FRST did its job successfully. All the problematic entries seems to be gone.
Internet histogram in tray shows a yellow dot, instead of white reception strength bars (its been this way for a few weeks)
It's difficult to determine the cause but let's try a generic fix.
Please open a command prompt with admin rights and copy/paste the following command :
winmgmt /salvagerepository
Intel RST is not running.
Please uninstall Intel RST module. Then download the latest version HERE (http://downloadmirror.intel.com/24779/eng/setupRST.exe) and install it.
Reboot your computer.
But my laptop is running much quieter and quicker, so a big thanks to you!
I'm glad the hear that.
How is the computer running by the time being ?
Regards.
-
Hi Curson,
Laptop is still running fine with no return of my original problem.
I followed your instructions:
ie,
Copied and pasted the code into command prompt - see screen print attached
also
uninstalled existing Intel RST, but new installation failed - see screen print attached
Thanks for the continued support.
Dave
-
Hi Dave,
Could you please try with this one (http://downloadmirror.intel.com/17296/a08/iata78_cd.exe) ?
Regards.
-
Hi Curson,
I've just purchased the Premium version :)
Which is in appreciation of your continued support!
& this software that is spotting problems that my paid Malwarebytes is not.
btw I tried the new link but still no joy, see attached screen prints.
Regards
Dave
-
Hi Dave,
I've just purchased the Premium version :)
Which is in appreciation of your continued support!
Many thanks for supporting us ! I am glad to hear your satisfaction. :)
& this software that is spotting problems that my paid Malwarebytes is not.
Malwarebytes Anti-Malware and RogueKiller use two different approaches to fight malwares. Therefore, they are pretty complementary.
btw I tried the new link but still no joy, see attached screen prints.
That's pretty weird.
Could you please download and execute the Intel Chipset Device Software (http://downloadmirror.intel.com/20775/eng/SetupChipset.exe) utility and then retry the install of Intel RST ?
Regards.
-
Hi Curson,
I successfully installed the 'Intel Chipset Device Software' and then tried installing from your link on post #20, but it failed again with the same error, see attached.
Dave
-
Hi Dave,
Could you please do a last try with the Intel RST installer on post #18 (http://forum.adlice.com/index.php?topic=424.msg2132#msg2132) ?
Regards.