Roguekiller stops working midway through scan

[phshbone]

Hi

I recently was asked to fix a relative's pc  - uncle died and we need to get info. I believe from the research that it is a fake HDD problem. I get action center warnings that my antivirus needs ro be turned on, firewall off, etc. I try to turn firewall on and get error messages that it wont let me. I can't do windows updates, etc.

I have run Rkill, TDSS killer, Malwarebytes, Superantispyware, Spybot S&D, ADWCleaner, JRT and finally Rogue Killer.
I get through the prescan of RK and it tells me I have ZeroAccess attached to Superantispyware.

I also got a Serial.exe I believe that came up.

I run the scan part of RK and when it gets to the win32 driver scan it freezes and when i run my mouse over the scan, delete, report buttons they light up and the scan appears to be over. I get a couple of registry items that initially allows me to check them. If I check them before the freeze it allows the delete but then I see that they were "replaced". If I dont check the items before RK freezes, I am not able to check them nor delete.

I do get this which I have tried.
http://www.adlice.com/zeroaccess-removal-with-roguekiller/
It seemed to work...got a lot of red results, deleted and they were back on the next reboot.

Any suggestions?

[Tigzy]

Hello
Could you please give the text report?
(Sorry for you uncle)

[phshbone]

Thanks...i appreciate that.

Here is the log - before i hit the delete button and chose what to remove:

RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : wcm [Admin rights]
Mode : Scan -- Date : 09/12/2014  10:38:25

¤¤¤ Bad processes : 3 ¤¤¤
[ZeroAccess] SUPERANTISPYWARE.EXE -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[7] -> KILLED [TermProc]
[Suspicious.Path] FirefoxPortable.exe -- C:\Users\wcm\Desktop\ff14 backup\FirefoxPortable\FirefoxPortable.exe[7] -> KILLED [TermThr]
[Suspicious.Path] firefox.exe -- C:\Users\wcm\Desktop\ff14 backup\FirefoxPortable\App\firefox\firefox.exe[7] -> KILLED [TermThr]

¤¤¤ Registry Entries : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2686632235-3909572256-2187879314-1001\Software\Microsoft\Internet Explorer\Main | Start Page :   -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2686632235-3909572256-2187879314-1001\Software\Microsoft\Internet Explorer\Main | Start Page :   -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 2 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\Drivers\PxHlpa64.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\drivers\USBPORT.SYS)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AADS-00S9B0 ATA Device +++++
--- User ---
[MBR] f29d794f749304545b5cc015d96d24ed
[BSP] 38fff1c52b15ca93b8e93dfa799c11f9 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST3250318AS ATA Device +++++
--- User ---
[MBR] f3d722eff050e18a42f983240efeb788
[BSP] 643b57b4d47c703132dfef6575dc728c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_09062014_142125.log - RKreport_DEL_09062014_143646.log - RKreport_DEL_09062014_152201.log - RKreport_DEL_09072014_172249.log
RKreport_DEL_09072014_175809.log - RKreport_DEL_09082014_151208.log - RKreport_DEL_09082014_175926.log - RKreport_DEL_09082014_183324.log
RKreport_DEL_09082014_190010.log - RKreport_DEL_09092014_165031.log - RKreport_DEL_09092014_170856.log - RKreport_DEL_09092014_174445.log
RKreport_DEL_09092014_184758.log - RKreport_DEL_09112014_102646.log - RKreport_DEL_09112014_104826.log - RKreport_SCN_09062014_141732.log
RKreport_SCN_09062014_143408.log - RKreport_SCN_09062014_150903.log - RKreport_SCN_09072014_152418.log - RKreport_SCN_09072014_171527.log
RKreport_SCN_09072014_175619.log - RKreport_SCN_09082014_135233.log - RKreport_SCN_09082014_175244.log - RKreport_SCN_09082014_180908.log
RKreport_SCN_09082014_185915.log - RKreport_SCN_09092014_134645.log - RKreport_SCN_09092014_163616.log - RKreport_SCN_09092014_165057.log
RKreport_SCN_09092014_170746.log - RKreport_SCN_09092014_174330.log - RKreport_SCN_09092014_180426.log - RKreport_SCN_09112014_102627.log
RKreport_SCN_09112014_104201.log


NOTE:

*** The two registry entries that start with PUM - When I select and delete they come back immediately as 'replaced'.

[Tigzy]

Ok, nothing to worry about.
I'll see for SUPERANTISPYWARE.

[phshbone]

Guess No answer to the issue, then.

Thx for your time.

[Tigzy]

I couldn't reproduce.
Which version of SUPERANTISPYWARE do you use? (portable/pro/free)