Adlice forum
General Category => Malware removal help => Topic started by: effinglady on April 24, 2015, 03:48:28 AM
-
I suspect I may have an infection. AVG detected Trojan horse msil7.bwhx. This prompted me to run RogueKiller. Please take a look at my report and advise me what steps I should take.
Thanks
RogueKiller V10.6.0.0 (x64) [Apr 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : soserenity [Administrator]
Started from : G:\Desktop_move\RogueKillerX64.exe
Mode : Scan -- Date : 04/23/2015 21:28:39
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 13 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe") -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \\MailRuUpdateTask -- C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe (--scheduler) -> Found
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 4 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - RtlCaptureContext : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (chrome.exe) wow64win.dll - sdwhwin32 : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (chrome.exe) wow64cpu.dll - CpuNotifyAffinityChange : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (chrome.exe) wow64.dll - Wow64KiUserCallbackDispatcher : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] 6c5bee2a33b71e821770831803fd6426
[BSP] da718f200c79b6b4eb69e7ee20c6fa8e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 51100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104859648 | Size: 902666 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_SCN_04232015_204903.log
-
Hi effinglady,
Welcome to Adlice.com Forum.
Could you please give me the full name and path of the process detected by AVG ?
Did you install MailRuUpdater on purpose ?
Regards.
-
Hi Curson.
I really appreciate the help. I didn't install MailRuUpdater on purpose. I have attached an AVG screenshot.
-
Hi effinglady,
Thanks for the information.
Restart RogueKiller and select the following entries for deletion :
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe
[PUP] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe
[PUP] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe")
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe")
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe")
[Suspicious.Path] \\MailRuUpdateTask -- C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe (--scheduler)
Please copy/paste the report obtained in your next reply.
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Regards.
-
Hi Curson.
Here is the new RogueKiller report.
RogueKiller V10.6.1.0 (x64) [Apr 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : soserenity [Administrator]
Started from : G:\Desktop_move\RogueKillerX64.exe
Mode : Scan -- Date : 04/27/2015 19:32:59
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 6 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] 6c5bee2a33b71e821770831803fd6426
[BSP] da718f200c79b6b4eb69e7ee20c6fa8e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 51100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104859648 | Size: 902666 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_SCN_04232015_204903.log - RKreport_SCN_04232015_212839.log - RKreport_SCN_04272015_183452.log - RKreport_SCN_04272015_191635.log
RKreport_DEL_04272015_191859.log - RKreport_SCN_04272015_192502.log - RKreport_DEL_04272015_192737.log
-
And the Farbar reports...They are too long to paste so I attached them.
Thanks again.
-
Hi effinglady,
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
How is the computer running ?
Regards.
-
Hi Curson,
The computer has been running normally. I haven't notice any lag in performance.
I attached the request log.
EffingLady
-
Hi EffingLady,
Please remove the following directories :
C:\Users\soserenity\AppData\Local\Mail.Ru
C:\Users\soserenity\AppData\Roaming\Search Protection
C:\Program Files (x86)\webget
Then, please do a new scan with RogueKiller and copy/paste the report obtained in your next post.
Regards.
-
Hi Curson,
I deleted the first two directories but could not find the third (C:\Program Files (x86)\webget).
Here is the log.
RogueKiller V10.6.1.0 (x64) [Apr 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : soserenity [Administrator]
Started from : G:\Desktop_move\RogueKillerX64.exe
Mode : Scan -- Date : 05/01/2015 21:11:19
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 6 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] 6c5bee2a33b71e821770831803fd6426
[BSP] da718f200c79b6b4eb69e7ee20c6fa8e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 51100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104859648 | Size: 902666 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_SCN_04232015_204903.log - RKreport_SCN_04232015_212839.log - RKreport_SCN_04272015_183452.log - RKreport_SCN_04272015_191635.log
RKreport_DEL_04272015_191859.log - RKreport_SCN_04272015_192502.log - RKreport_DEL_04272015_192737.log - RKreport_SCN_04272015_193259.log
-
Hi effinglady,
Your report is clean.
How is your computer running now ?
Regards.
-
Curson,
That is a great report. My computer is running well.
Thank you for all you help!
Effinglady
-
Hi effinglady,
Your are very welcome.
I'm gald I was able to help you.
Regards.