Adlice forum

General Category => Malware removal help => Topic started by: GREENRAGE on April 28, 2015, 07:03:47 PM

Title: System invaded by.... rootkit combo module kernal thingy
Post by: GREENRAGE on April 28, 2015, 07:03:47 PM

I need help! My system began "disappearing my start up menu settings, then seems like all hell broke loose. I got Rogue Killer to get rid of the problem and also Spybot. The reoccurring  PUMs have made it damned near impossible for me to access banking or credit card system online, which is a big problem as there are no cc branches in my city. Please help! I've very little experience with computers and not a techie.


RogueKiller V10.6.1.0 [Apr 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : GREEN [Administrator]
Started from : C:\Users\GREEN\Desktop\RogueKiller.exe
Mode : Delete -- Date : 04/28/2015  08:24:08

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1571821587-2768315750-2841091644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1571821587-2768315750-2841091644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1571821587-2768315750-2841091644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1571821587-2768315750-2841091644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1571821587-2768315750-2841091644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1571821587-2768315750-2841091644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1571821587-2768315750-2841091644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\00000062 (\SystemRoot\system32\DRIVERS\intelppm.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS542580K9SA00 +++++
--- User ---
[MBR] ac48e5d161592f0538b8a0bad53299ce
[BSP] fe0b7c800a2e253d87e4f0d4406e62fb : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10000 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 20482048 | Size: 33161 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 88395776 | Size: 33156 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: System invaded by.... rootkit combo module kernal thingy
Post by: Curson on April 29, 2015, 09:16:02 PM

Hi GREENRAGE,

Welcome to Adlice.com Forum.

Please download Malwarebytes Anti-Malware (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe) and save it to your desktop.

• Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system".
  

• Click on Update Now to download the current database definitions, then click the Scan Now button.
  If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  

The THREAT SCAN will automatically begin.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.

After rebooting the computer, copy and past the mbam.log in your next reply.

To retrieve the scan log information (Method 1) :

• Open Malwarebytes Anti-Malware.
• Click the History Tab at the top and select Application Logs.
  
• Select the box next to Scan Log. Choose the most current scan.
  
• Click the Export button and save the log as a .txt file on your Desktop or another location.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the scan log information (Method 2) :

• Open Malwarebytes Anti-Malware.
• Click the Scan Tab at the top.
  
• Click the View detailed log link on the right.
  
• Click the Export button and save the log as a .txt file on your Desktop or another location.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:

• -- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
• -- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

Regards.