Author Topic: RogueKiller64 & root.Zekos (Read 23784 times)

jvastine · « **on:** June 07, 2014, 06:37:25 AM »

When I ran RK64 on my laptop it says that there was a root.zekos patch in svchost.exe, however there is no checkbox by the listing to delete/replace the file like is shown in your tutorial video. Why is this and how may I fix this invasion?

Thank you for your time and assistance as it is very much appreciated.

Peace!

Tigzy · « **Reply #1 on:** June 07, 2014, 03:32:43 PM »

Hello
This is in-memory injection. YOU DON'T HAVE TO REPLACE THE FILE!
If there's nothing in file directory, then this is because it's not properly detected.
Do you have the report?

jvastine · « **Reply #2 on:** June 07, 2014, 10:58:07 PM »

Hi Tigzy,

Okay, that makes sense. Here is the latest log file as per your request. I hope this is helpful!

RogueKiller V9.0.2.0 (x64) [Jun 3 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Jeff [Admin rights]
Mode : Scan -- Date : 06/06/2014 22:04:20
Switches : -nokill

¤¤¤ Bad processes : 1 ¤¤¤
[Root.Zekos] svchost.exe --

-> [NoKill]

¤¤¤ Registry Entries : 10 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHZ2250BH G2 ATA Device +++++
--- User ---
[MBR] ca8f4368b25ff5d4acb82b8993dd5ab2
[BSP] ce78a3935ef012636b3098d0945fbb2c : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 225247 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 461307904 | Size: 13224 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: JMCR SD/MMC SCSI Disk Device +++++
--- User ---
[MBR] fa6d13ad7179118f4fed64408274dacd
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x6) [VISIBLE] Offset (sectors): 135 | Size: 1884 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

============================================
RKreport_DEL_06062014_203858.log - RKreport_SCN_06062014_203441.log - RKreport_SCN_06062014_212619.log - RKreport_DEL_06062014_212820.log
RKreport_SCN_06062014_213427.log - RKreport_DEL_06062014_215712.log

Thanks for your time and assistance as it is greatly appreciated.

Peace!

Tigzy · « **Reply #3 on:** June 09, 2014, 08:18:35 AM »

Ok, makes sense.
Can you do a scan with Malwarebytes and provide the report?

jvastine · « **Reply #4 on:** June 09, 2014, 10:08:56 PM »

Here is the Malwarebytes log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/9/2014
Scan Time: 1:42:04 PM
Logfile: MBytesLog.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.09.06
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: Jeff

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 337910
Time Elapsed: 29 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)

I do not think that will be much help, but perhaps it may. If you need anything else please let me know.

Tigzy · « **Reply #5 on:** June 10, 2014, 07:20:44 AM »

Ok. So that's maybe a false positive then $:-\$
We'll investigate.

jvastine · « **Reply #6 on:** June 10, 2014, 10:46:56 PM »

Well the random audio started again so this must not have been a false positive. So here is a copy of the latest log from HijackThis that you may find helpful:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:27:17 PM, on 6/5/2014
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/rewards/dashboard?FORM=MH00ZP&OCID=MH00ZP/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {96b985b7-3cf9-456a-9db6-791710e60f5f} - C:\Program Files (x86)\MyPoints Point Finder\Helper.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {4219427b-0228-4356-a78b-eb7668d37d07} - C:\Program Files (x86)\InboxDollars\Helper.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {b03b3ced-82cf-43b6-b2d4-1b40851c7658} - C:\Program Files (x86)\Publishers Clearing House Prize Bar\Helper.dll
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: FCTBPos00Pos - {614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A} - C:\Program Files (x86)\MyPoints Point Finder\Toolbar.dll (file missing)
O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - (no file)
O2 - BHO: FCTBPos00Pos - {6FFB615D-E8CE-4ADD-8D9F-31C4BE9C26E4} - C:\Program Files (x86)\InboxDollars\Toolbar.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.5.514\AVG SafeGuard toolbar_toolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O2 - BHO: FCTBPos00Pos - {E32D05F6-B1BB-4F2F-A045-042144FCD2E0} - C:\Program Files (x86)\Publishers Clearing House Prize Bar\Toolbar.dll
O3 - Toolbar: &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: MyPoints Point Finder - {89A2510A-B4B6-4683-BEC9-1B96700BC7F1} - C:\Program Files (x86)\MyPoints Point Finder\Toolbar.dll (file missing)
O3 - Toolbar: InboxDollars - {47980628-3844-42AA-A0DD-E2D86BBA9600} - C:\Program Files (x86)\InboxDollars\Toolbar.dll
O3 - Toolbar: Publishers Clearing House PrizeBar - {0FB24E1F-D247-4F4E-8DDD-9E18EA10829F} - C:\Program Files (x86)\Publishers Clearing House Prize Bar\Toolbar.dll
O3 - Toolbar: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.5.514\AVG SafeGuard toolbar_toolbar.dll
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe"
O4 - HKLM\..\Run: [Smart File Advisor] "C:\Program Files (x86)\Smart File Advisor\sfa.exe" /checkassoc
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [B Register C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll",DllRegisterServer
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [otrokes] rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\otrokes.dll",otrokes (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [otrokes] rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\otrokes.dll",otrokes (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComSavePass.html
O8 - Extra context menu item: Show RoboForm Toolbar - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (PARTcommunity 3D Web Viewer) - http://misumi-configurator-de.partcommunity.com/partserver/viewer/cnsweb3d/cnsweb3d.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553530000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.5\ViProtocol.dll
O20 - Winlogon Notify: otrokes - C:\Windows\system32\config\systemprofile\AppData\Local\otrokes.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: DAZ Content Management Service (DAZContentManagementService) - Unknown owner - C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FABS - Helping agent for MAGIX media database (Fabs) - MAGIX AG - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV32.EXE
O23 - Service: PACE License Services (PaceLicenseDServices) - PACE Anti-Piracy, Inc. - C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe (file missing)
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater18.1.5 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 17386 bytes

Continues in next post...

jvastine · « **Reply #7 on:** June 10, 2014, 10:48:52 PM »

And here is the RogueKillerX64 report from a scan during the bugs activity:
RogueKiller V9.0.2.0 (x64) [Jun 3 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Jeff [Admin rights]
Mode : Scan -- Date : 06/10/2014 14:17:04
Switches : -nokill

¤¤¤ Bad processes : 3 ¤¤¤
[Root.Zekos] svchost.exe --

-> [NoKill]

[Suspicious.Path] TaskSTRun.exe -- C:\Users\Jeff\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Utilities\TaskSTRun.exe[-] -> [NoKill]
[SVCHOST] svchost.exe --

-> [NoKill]

¤¤¤ Registry Entries : 12 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.WallPaper] (X64) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Control Panel\Desktop | WallPaper : -> FOUND
[PUM.WallPaper] (X86) HKEY_USERS\S-1-5-21-3666843594-2470649185-1355108908-1000\Control Panel\Desktop | WallPaper : -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 88 ¤¤¤
[EAT:Addr] (firefox.exe) PSAPI.DLL - AcceptSecurityContext : C:\Windows\syswow64\Secur32.dll @ 0x757a3dec
[EAT:Addr] (firefox.exe) PSAPI.DLL - AcquireCredentialsHandleA : C:\Windows\syswow64\Secur32.dll @ 0x757a6021
[EAT:Addr] (firefox.exe) PSAPI.DLL - AcquireCredentialsHandleW : C:\Windows\syswow64\Secur32.dll @ 0x757a1e70
[EAT:Addr] (firefox.exe) PSAPI.DLL - AddCredentialsA : C:\Windows\syswow64\Secur32.dll @ 0x757add53
[EAT:Addr] (firefox.exe) PSAPI.DLL - AddCredentialsW : C:\Windows\syswow64\Secur32.dll @ 0x757adce6
[EAT:Addr] (firefox.exe) PSAPI.DLL - AddSecurityPackageA : C:\Windows\syswow64\Secur32.dll @ 0x757ac7e7
[EAT:Addr] (firefox.exe) PSAPI.DLL - AddSecurityPackageW : C:\Windows\syswow64\Secur32.dll @ 0x757ac7a8
[EAT:Addr] (firefox.exe) PSAPI.DLL - ApplyControlToken : C:\Windows\syswow64\Secur32.dll @ 0x757addc0
[EAT:Addr] (firefox.exe) PSAPI.DLL - ChangeAccountPasswordA : C:\Windows\syswow64\Secur32.dll @ 0x757ae305
[EAT:Addr] (firefox.exe) PSAPI.DLL - ChangeAccountPasswordW : C:\Windows\syswow64\Secur32.dll @ 0x757ae2d8
[EAT:Addr] (firefox.exe) PSAPI.DLL - CloseLsaPerformanceData : C:\Windows\syswow64\Secur32.dll @ 0x757af675
[EAT:Addr] (firefox.exe) PSAPI.DLL - CollectLsaPerformanceData : C:\Windows\syswow64\Secur32.dll @ 0x757af7b5
[EAT:Addr] (firefox.exe) PSAPI.DLL - CompleteAuthToken : C:\Windows\syswow64\Secur32.dll @ 0x757ade30
[EAT:Addr] (firefox.exe) PSAPI.DLL - CredMarshalTargetInfo : C:\Windows\syswow64\Secur32.dll @ 0x757a2c44
[EAT:Addr] (firefox.exe) PSAPI.DLL - CredParseUserNameWithType : C:\Windows\syswow64\Secur32.dll @ 0x757a26a7
[EAT:Addr] (firefox.exe) PSAPI.DLL - CredUnmarshalTargetInfo : C:\Windows\syswow64\Secur32.dll @ 0x757a2a4d
[EAT:Addr] (firefox.exe) PSAPI.DLL - DecryptMessage : C:\Windows\syswow64\Secur32.dll @ 0x757a3409
[EAT:Addr] (firefox.exe) PSAPI.DLL - DeleteSecurityContext : C:\Windows\syswow64\Secur32.dll @ 0x757a1c28
[EAT:Addr] (firefox.exe) PSAPI.DLL - DeleteSecurityPackageA : C:\Windows\syswow64\Secur32.dll @ 0x757ac83f
[EAT:Addr] (firefox.exe) PSAPI.DLL - DeleteSecurityPackageW : C:\Windows\syswow64\Secur32.dll @ 0x757ac83f
[EAT:Addr] (firefox.exe) PSAPI.DLL - EncryptMessage : C:\Windows\syswow64\Secur32.dll @ 0x757a333b
[EAT:Addr] (firefox.exe) PSAPI.DLL - EnumerateSecurityPackagesA : C:\Windows\syswow64\Secur32.dll @ 0x757a611c
[EAT:Addr] (firefox.exe) PSAPI.DLL - EnumerateSecurityPackagesW : C:\Windows\syswow64\Secur32.dll @ 0x757a69e3
[EAT:Addr] (firefox.exe) PSAPI.DLL - ExportSecurityContext : C:\Windows\syswow64\Secur32.dll @ 0x757ae17b
[EAT:Addr] (firefox.exe) PSAPI.DLL - FreeContextBuffer : C:\Windows\syswow64\Secur32.dll @ 0x757a1a93
[EAT:Addr] (firefox.exe) PSAPI.DLL - FreeCredentialsHandle : C:\Windows\syswow64\Secur32.dll @ 0x757a22ea
[EAT:Addr] (firefox.exe) PSAPI.DLL - GetComputerObjectNameA : C:\Windows\syswow64\Secur32.dll @ 0x757a595b
[EAT:Addr] (firefox.exe) PSAPI.DLL - GetComputerObjectNameW : C:\Windows\syswow64\Secur32.dll @ 0x757a5471
[EAT:Addr] (firefox.exe) PSAPI.DLL - GetSecurityUserInfo : C:\Windows\syswow64\Secur32.dll @ 0x757ac798
[EAT:Addr] (firefox.exe) PSAPI.DLL - GetUserNameExA : C:\Windows\syswow64\Secur32.dll @ 0x757a13b4
[EAT:Addr] (firefox.exe) PSAPI.DLL - GetUserNameExW : C:\Windows\syswow64\Secur32.dll @ 0x757a123b
[EAT:Addr] (firefox.exe) PSAPI.DLL - ImpersonateSecurityContext : C:\Windows\syswow64\Secur32.dll @ 0x757ade77
[EAT:Addr] (firefox.exe) PSAPI.DLL - ImportSecurityContextA : C:\Windows\syswow64\Secur32.dll @ 0x757ae258
[EAT:Addr] (firefox.exe) PSAPI.DLL - ImportSecurityContextW : C:\Windows\syswow64\Secur32.dll @ 0x757ae1d8
[EAT:Addr] (firefox.exe) PSAPI.DLL - InitSecurityInterfaceA : C:\Windows\syswow64\Secur32.dll @ 0x757a633d
[EAT:Addr] (firefox.exe) PSAPI.DLL - InitSecurityInterfaceW : C:\Windows\syswow64\Secur32.dll @ 0x757a6a1e
[EAT:Addr] (firefox.exe) PSAPI.DLL - InitializeSecurityContextA : C:\Windows\syswow64\Secur32.dll @ 0x757a5f09
[EAT:Addr] (firefox.exe) PSAPI.DLL - InitializeSecurityContextW : C:\Windows\syswow64\Secur32.dll @ 0x757a3c2e
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaCallAuthenticationPackage : C:\Windows\syswow64\Secur32.dll @ 0x757a48ea
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaConnectUntrusted : C:\Windows\syswow64\Secur32.dll @ 0x757a4776
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaDeregisterLogonProcess : C:\Windows\syswow64\Secur32.dll @ 0x757a4b91
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaEnumerateLogonSessions : C:\Windows\syswow64\Secur32.dll @ 0x757adbc0
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaFreeReturnBuffer : C:\Windows\syswow64\Secur32.dll @ 0x757a1b07
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaGetLogonSessionData : C:\Windows\syswow64\Secur32.dll @ 0x757a27c1
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaLogonUser : C:\Windows\syswow64\Secur32.dll @ 0x757a25ca
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaLookupAuthenticationPackage : C:\Windows\syswow64\Secur32.dll @ 0x757a4645
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaRegisterLogonProcess : C:\Windows\syswow64\Secur32.dll @ 0x757a49eb
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaRegisterPolicyChangeNotification : C:\Windows\syswow64\Secur32.dll @ 0x757a5374
[EAT:Addr] (firefox.exe) PSAPI.DLL - LsaUnregisterPolicyChangeNotification : C:\Windows\syswow64\Secur32.dll @ 0x757adb98
[EAT:Addr] (firefox.exe) PSAPI.DLL - MakeSignature : C:\Windows\syswow64\Secur32.dll @ 0x757ae0e1
[EAT:Addr] (firefox.exe) PSAPI.DLL - OpenLsaPerformanceData : C:\Windows\syswow64\Secur32.dll @ 0x757af576
[EAT:Addr] (firefox.exe) PSAPI.DLL - QueryContextAttributesA : C:\Windows\syswow64\Secur32.dll @ 0x757a63d9
[EAT:Addr] (firefox.exe) PSAPI.DLL - QueryContextAttributesW : C:\Windows\syswow64\Secur32.dll @ 0x757a3458
[EAT:Addr] (firefox.exe) PSAPI.DLL - QueryCredentialsAttributesA : C:\Windows\syswow64\Secur32.dll @ 0x757adfc3
[EAT:Addr] (firefox.exe) PSAPI.DLL - QueryCredentialsAttributesW : C:\Windows\syswow64\Secur32.dll @ 0x757a2032
[EAT:Addr] (firefox.exe) PSAPI.DLL - QuerySecurityContextToken : C:\Windows\syswow64\Secur32.dll @ 0x757a42de
[EAT:Addr] (firefox.exe) PSAPI.DLL - QuerySecurityPackageInfoA : C:\Windows\syswow64\Secur32.dll @ 0x757ade07
[EAT:Addr] (firefox.exe) PSAPI.DLL - QuerySecurityPackageInfoW : C:\Windows\syswow64\Secur32.dll @ 0x757a1f48
[EAT:Addr] (firefox.exe) PSAPI.DLL - RevertSecurityContext : C:\Windows\syswow64\Secur32.dll @ 0x757adebb
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslAcceptSecurityContext : C:\Windows\syswow64\Secur32.dll @ 0x757aef8a
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslEnumerateProfilesA : C:\Windows\syswow64\Secur32.dll @ 0x757aecc8
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslEnumerateProfilesW : C:\Windows\syswow64\Secur32.dll @ 0x757aecd8
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslGetContextOption : C:\Windows\syswow64\Secur32.dll @ 0x757ae69c
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslGetProfilePackageA : C:\Windows\syswow64\Secur32.dll @ 0x757aece8
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslGetProfilePackageW : C:\Windows\syswow64\Secur32.dll @ 0x757aed14
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslIdentifyPackageA : C:\Windows\syswow64\Secur32.dll @ 0x757af3c8
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslIdentifyPackageW : C:\Windows\syswow64\Secur32.dll @ 0x757af3f6
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslInitializeSecurityContextA : C:\Windows\syswow64\Secur32.dll @ 0x757aee65
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslInitializeSecurityContextW : C:\Windows\syswow64\Secur32.dll @ 0x757aed40
[EAT:Addr] (firefox.exe) PSAPI.DLL - SaslSetContextOption : C:\Windows\syswow64\Secur32.dll @ 0x757ae78d
[EAT:Addr] (firefox.exe) PSAPI.DLL - SealMessage : C:\Windows\syswow64\Secur32.dll @ 0x757a333b
[EAT:Addr] (firefox.exe) PSAPI.DLL - SecCacheSspiPackages : C:\Windows\syswow64\Secur32.dll @ 0x757a5bde
[EAT:Addr] (firefox.exe) PSAPI.DLL - SecDeleteUserModeContext : C:\Windows\syswow64\Secur32.dll @ 0x757ad96b
[EAT:Addr] (firefox.exe) PSAPI.DLL - SecInitUserModeContext : C:\Windows\syswow64\Secur32.dll @ 0x757ad8f0
[EAT:Addr] (firefox.exe) PSAPI.DLL - SeciAllocateAndSetCallFlags : C:\Windows\syswow64\Secur32.dll @ 0x757a4454
[EAT:Addr] (firefox.exe) PSAPI.DLL - SeciAllocateAndSetIPAddress : C:\Windows\syswow64\Secur32.dll @ 0x757a43cc
[EAT:Addr] (firefox.exe) PSAPI.DLL - SeciFreeCallContext : C:\Windows\syswow64\Secur32.dll @ 0x757a4388
[EAT:Addr] (firefox.exe) PSAPI.DLL - SecpFreeMemory : C:\Windows\syswow64\Secur32.dll @ 0x757a4f5c
[EAT:Addr] (firefox.exe) PSAPI.DLL - SecpTranslateName : C:\Windows\syswow64\Secur32.dll @ 0x757a586c
[EAT:Addr] (firefox.exe) PSAPI.DLL - SecpTranslateNameEx : C:\Windows\syswow64\Secur32.dll @ 0x757a4f6d
[EAT:Addr] (firefox.exe) PSAPI.DLL - SetContextAttributesA : C:\Windows\syswow64\Secur32.dll @ 0x757adf61
[EAT:Addr] (firefox.exe) PSAPI.DLL - SetContextAttributesW : C:\Windows\syswow64\Secur32.dll @ 0x757adeff
[EAT:Addr] (firefox.exe) PSAPI.DLL - SetCredentialsAttributesA : C:\Windows\syswow64\Secur32.dll @ 0x757ae07f
[EAT:Addr] (firefox.exe) PSAPI.DLL - SetCredentialsAttributesW : C:\Windows\syswow64\Secur32.dll @ 0x757ae01d
[EAT:Addr] (firefox.exe) PSAPI.DLL - TranslateNameA : C:\Windows\syswow64\Secur32.dll @ 0x757af45f
[EAT:Addr] (firefox.exe) PSAPI.DLL - TranslateNameW : C:\Windows\syswow64\Secur32.dll @ 0x757af424
[EAT:Addr] (firefox.exe) PSAPI.DLL - UnsealMessage : C:\Windows\syswow64\Secur32.dll @ 0x757a3409
[EAT:Addr] (firefox.exe) PSAPI.DLL - VerifySignature : C:\Windows\syswow64\Secur32.dll @ 0x757ae12e

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHZ2250BH G2 ATA Device +++++
--- User ---
[MBR] ca8f4368b25ff5d4acb82b8993dd5ab2
[BSP] ce78a3935ef012636b3098d0945fbb2c : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 225247 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 461307904 | Size: 13224 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: JMCR SD/MMC SCSI Disk Device +++++
--- User ---
[MBR] fa6d13ad7179118f4fed64408274dacd
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x6) [VISIBLE] Offset (sectors): 135 | Size: 1884 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

============================================
RKreport_DEL_06062014_203858.log - RKreport_DEL_06062014_212820.log - RKreport_DEL_06062014_215712.log - RKreport_DEL_06062014_220639.log
RKreport_DEL_06092014_162015.log - RKreport_SCN_06062014_203441.log - RKreport_SCN_06062014_212619.log - RKreport_SCN_06062014_213427.log
RKreport_SCN_06062014_220420.log - RKreport_SCN_06092014_161531.log

And here is the latest Malwarebytes log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/10/2014
Scan Time: 2:20:45 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.10.06
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: Jeff

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 338347
Time Elapsed: 45 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)

Now TaskSTRun is a handy tool that could be enhanced by adding a dump or report so others could get a better picture of what may be going on in a system. Anyway, I hope this is helpful and I really appreciate your efforts.

Peace!

Tigzy · « **Reply #8 on:** June 11, 2014, 02:08:44 PM »

mmh, I should have included the PID as well in the report.
There are several svchost running I presume.

Could you do a dump of every of them with Process Explorer? http://www.bleepingcomputer.com/download/process-explorer/
Right click on every svchost process, => Full dump.

Then zip them all, and if you can upload them on a file hosting and share the link?
I'll scan them on virus total and try to find the culprit signature

jvastine · « **Reply #9 on:** June 12, 2014, 03:24:26 AM »

Well there were far less svchost processes running when I ran Process Explorer, but hopefully these dumps will be of help. Here is the link to the zipped files: https://www.dropbox.com/s/hf2ujg4y0y8vd11/ProcessDump.zip

Your time and efforts are truly appreciated Tigzy!

Thankks!

Tigzy · « **Reply #10 on:** June 12, 2014, 02:11:16 PM »

Thanks.
Can you scan your file C:\Windows\System32\rpcss.dll in virus total and give the link here?
www.virustotal.com

jvastine · « **Reply #11 on:** June 12, 2014, 09:18:17 PM »

Strange, but the select file explorer on Virus Total would not recognize the file. After verifying it's existence and trying again I had to copy rpcss.dll to the desktop to be uploaded and scanned. I wonder if the bug was somehow masking the presence of this file. Anyway, here is the link you requested:
https://www.virustotal.com/en/file/59f9f4c03eb9f4bdfe4222e8068b1787737472b5bfa8d1417c1c2a17a2043a04/analysis/

Tigzy · « **Reply #12 on:** June 13, 2014, 07:02:42 AM »

You're infected, for sure by Zekos.
I don't have time to release a new version of RogueKiller and test the removal, so I'll submit the signature to Malwarebytes instead.
They'll probably add it within the day and you'll be able to cure your PC. I'll tell you when it's ok for them.

Tigzy · « **Reply #13 on:** June 13, 2014, 08:15:39 AM »

I have a better idea, you'll replace it by hand.

Here's the file, download it on the desktop, unzip it.
- Then go to C:\Windows\System32, rename the infected rpcss.dll into rpcss.dll.vir (it should be ok to)
- Copy/Paste the good one into system32 folder.
- Reboot, and verify that the not infected file is still here (upload on virus total)
- Scan with RogueKiller, if no more Zekos process killed, then that ok.

Let me know.

EDIT: For people having the same issue. PLEASE do NOT download and try to replace with that file. This file was for the OP of this thread, it's the one needed for his operating system. You may not need the same file. If you replace with a wrong file, you'll have a Black Screen Of Death at reboot.

jvastine · « **Reply #14 on:** June 14, 2014, 03:18:51 AM »

All is well Tigzy. Thanks mate! I hope all of this provided you with some insight into improving your fine tools. To show my appreciation for your time and assistance Ii will send you a donation. If everyone would that uses your software tools would send you something no matter how large or small you would be free to create and help more. Giving back is the right thing to do.

Once again thanks, you are truly appreciated!

Peace!

Author Topic: RogueKiller64 & root.Zekos (Read 23784 times)

jvastine

RogueKiller64 & root.Zekos

Tigzy

Re: RogueKiller64 & root.Zekos

jvastine

Re: RogueKiller64 & root.Zekos

Tigzy

Re: RogueKiller64 & root.Zekos

jvastine

Re: RogueKiller64 & root.Zekos

Tigzy

Re: RogueKiller64 & root.Zekos

jvastine

Re: RogueKiller64 & root.Zekos

jvastine

Re: RogueKiller64 & root.Zekos

Tigzy

Re: RogueKiller64 & root.Zekos

jvastine

Re: RogueKiller64 & root.Zekos

Tigzy

Re: RogueKiller64 & root.Zekos

jvastine

Re: RogueKiller64 & root.Zekos

Tigzy

Re: RogueKiller64 & root.Zekos

Tigzy

Re: RogueKiller64 & root.Zekos

jvastine

Re: RogueKiller64 & root.Zekos