Adlice forum

General Category => Malware removal help => Topic started by: Leety on April 20, 2015, 07:33:01 am

Title: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on April 20, 2015, 07:33:01 am
RogueKiller V10.5.10.0 (x64) [Apr 14 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Leety [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 04/20/2015  10:29:15

Processes : 0

Registry : 10
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

Tasks : 1
[Suspicious.Path] \\Origin -- C:\Users\Leety\AppData\Roaming\Origin\update.vbe -> ERROR

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] b002a17c1e68a5888fc3fca59c91a4a2
[BSP] cae03e6ffda7b01661dd3c9bc604aa9a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04202015_102659.log - RKreport_DEL_04202015_102743.log - RKreport_DEL_04202015_102747.log - RKreport_DEL_04202015_102751.log
RKreport_DEL_04202015_102753.log - RKreport_DEL_04202015_102758.log - RKreport_DEL_04202015_102809.log - RKreport_DEL_04202015_102812.log
RKreport_DEL_04202015_102816.log - RKreport_DEL_04202015_102911.log
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on April 21, 2015, 10:23:30 pm
Hi leety,

Welcome to Adlice.com Forum.

Is your ISP located in Pakistan ?
Please locate the following file, zip it and attach it with your next reply.
Quote
C:\Users\Leety\AppData\Roaming\Origin\update.vbe

Regards.

NOTE : Your post has been splitted in a new thread for clarity.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on April 26, 2015, 12:46:34 pm
Yes. I live in Pakistan. Here's the file. By the way I got susp and ran this file and Defender popped a message which said it's cleaning malware.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on April 26, 2015, 05:22:53 pm
Hi leety,

Please restart RogueKiller and select the following entries for deletion :
Quote
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys)
[Suspicious.Path] \\Origin -- C:\Users\Leety\AppData\Roaming\Origin\update.vbe
Please copy/paste the report obtained in your next reply.

Regards.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on April 27, 2015, 04:46:55 pm
Ok I deleted these 3 entries, the after report looks like this.

RogueKiller V10.5.10.0 (x64) [Apr 14 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Leety [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 04/27/2015  19:46:21

Processes : 1
[Suspicious.Path] NvOAWrapperCache.exe(4720) -- C:\Users\Leety\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe[7] -> Killed [TermProc]

Registry : 8
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] b002a17c1e68a5888fc3fca59c91a4a2
[BSP] cae03e6ffda7b01661dd3c9bc604aa9a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04202015_102659.log - RKreport_DEL_04202015_102743.log - RKreport_DEL_04202015_102747.log - RKreport_DEL_04202015_102751.log
RKreport_DEL_04202015_102753.log - RKreport_DEL_04202015_102758.log - RKreport_DEL_04202015_102809.log - RKreport_DEL_04202015_102812.log
RKreport_DEL_04202015_102816.log - RKreport_DEL_04202015_102911.log - RKreport_DEL_04202015_102915.log - RKreport_SCN_04262015_153813.log
RKreport_SCN_04262015_155125.log - RKreport_SCN_04272015_194155.log - RKreport_DEL_04272015_194259.log
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on April 27, 2015, 06:04:20 pm
Hi leety,

Your report is clean.
How is the computer running ?

Regards.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on September 06, 2015, 11:35:06 am
Thanks alot for your help. It was working fine then once again I noticed 99% diskusage in the Task Manager just when I run Google Chrome a mysterious "svchost.exe" file appears with no apparent Program name which is located in the Windows/Temp folder of mine. I ran Malwarebytes since I'm on Windows 10 now, but I wasn't satisfied so I'm installing RogueKiller again, let's see what happens. I post you a report on a new topic or this one?
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on September 07, 2015, 01:25:57 pm
Hi leety,

You can post the report in this thread.
No need to create a new one.

Regards.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on September 09, 2015, 02:39:31 am
RogueKiller V10.10.4.0 (x64) [Sep  4 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : Leety [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 09/09/2015 05:38:30

Processes : 0

Registry : 5
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Lightshot : C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8a4bb498-b0b0-44bc-ae58-9388f5795601} | DhcpNameServer : 42.201.255.26 ([PAKISTAN (PK)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FE3A53D7-3C41-47F2-A8BE-84B7AEB36906} | NameServer : 42.201.255.130 42.201.255.26 ([PAKISTAN (PK)][PAKISTAN (PK)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8a4bb498-b0b0-44bc-ae58-9388f5795601} | DhcpNameServer : 42.201.255.26 ([PAKISTAN (PK)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FE3A53D7-3C41-47F2-A8BE-84B7AEB36906} | NameServer : 42.201.255.130 42.201.255.26 ([PAKISTAN (PK)][PAKISTAN (PK)])  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0x20])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] b002a17c1e68a5888fc3fca59c91a4a2
[BSP] cae03e6ffda7b01661dd3c9bc604aa9a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on September 11, 2015, 01:43:23 pm
Hi leety,

Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
Regards.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on September 19, 2015, 02:17:03 am
Here, thanks again.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on September 24, 2015, 12:06:34 am
Hi tenshi304,

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running ?

Regards.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on September 26, 2015, 07:50:13 am
Thanks. I completed the steps from the above posts. PC is running fine actually just before running the Fix I noticed a 55% memory usage with no programs except Google Chrome with one tab open. After the fix & the restart PC is still working fine & memory usage is down to 32~35% with one program & Chrome with 1 Tab open.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on September 28, 2015, 04:41:24 pm
Hi Leety,

Could you please attach the file Fixlog.txt in your next reply ?

Regards.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on September 28, 2015, 07:03:56 pm
Here.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on September 28, 2015, 10:42:55 pm
Hi Leety,

Please zip and attach the following folder in your next post :
Quote
C:\FRST\Quarantine

Your computer is clean.
You can now safely delete the FRST files and folder.

Regards.
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Leety on September 29, 2015, 03:15:38 am
I could not zip it. There was some error. I deleted all the FRST files though. Thanks
Title: Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
Post by: Curson on September 30, 2015, 04:46:33 pm
Hi Leety,

Not a big deal.
You are welcome.

Regards.