Show Posts
1
RogueKiller / Please help with my report
« on: February 12, 2015, 05:11:51 PM »
Hello, and thank you for being there to provide assistance, it's very much appreciated. My Windows 7 instalation was recently infected with Bubble Dock / MyStartSearch and a bunch of other really aggresive adware / browser hijack stuff. I managed to get rid of a lot of it using Malwarebytes, but it's not gone yet - it's still hijacking my homepage URL in Firefox, and who knows what else it's up to behind the scenes.
I scanned my PC just now using Roguekiller. It brought up three registry items that I immediately deleted / replaced, but I'm afraid I don't know anything about AntiRootKit and thus can't determine what I should do with the many apparent issues Roguekiller has found there. My report follows, and I'm very grateful for your help with it.
RogueKiller V10.2.0.0 [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Glenn [Administrator]
Mode : Delete -- Date : 02/12/2015 16:00:17
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 3 ¤¤¤
[PUM.StartMenu] HKEY_USERS\S-1-5-21-677298264-3223587607-2566296061-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] a1zkxhjf.default : user_pref("browser.startup.homepage", "?type=hppp"); -> Not selected
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545050A7E380 ATA Device +++++
--- User ---
[MBR] 92f0ccd3666b186411ea5dcce6155cd0
[BSP] 9ead5c52efb0cc6246808eaed70f5f56 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 200 MB
1 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 409640 | Size: 361442 MB
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 740907008 | Size: 115169 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR] 92f0ccd3666b186411ea5dcce6155cd0
[BSP] 9ead5c52efb0cc6246808eaed70f5f56 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 200 MB
1 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 409640 | Size: 361442 MB
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 740907008 | Size: 115169 MB [Error reading VBR! ([3e6] Invalid access to memory location. )]
============================================
RKreport_SCN_02122015_155836.log
I scanned my PC just now using Roguekiller. It brought up three registry items that I immediately deleted / replaced, but I'm afraid I don't know anything about AntiRootKit and thus can't determine what I should do with the many apparent issues Roguekiller has found there. My report follows, and I'm very grateful for your help with it.
RogueKiller V10.2.0.0 [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Glenn [Administrator]
Mode : Delete -- Date : 02/12/2015 16:00:17
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 3 ¤¤¤
[PUM.StartMenu] HKEY_USERS\S-1-5-21-677298264-3223587607-2566296061-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] a1zkxhjf.default : user_pref("browser.startup.homepage", "?type=hppp"); -> Not selected
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545050A7E380 ATA Device +++++
--- User ---
[MBR] 92f0ccd3666b186411ea5dcce6155cd0
[BSP] 9ead5c52efb0cc6246808eaed70f5f56 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 200 MB
1 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 409640 | Size: 361442 MB
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 740907008 | Size: 115169 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR] 92f0ccd3666b186411ea5dcce6155cd0
[BSP] 9ead5c52efb0cc6246808eaed70f5f56 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 200 MB
1 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 409640 | Size: 361442 MB
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 740907008 | Size: 115169 MB [Error reading VBR! ([3e6] Invalid access to memory location. )]
============================================
RKreport_SCN_02122015_155836.log
