Author Topic: Can't be deleted possible malware (Read 20162 times)

RaiZZZ19 · « **on:** September 18, 2014, 09:51:55 PM »

I had trouble dealing with this because I don't know if it's a malware or not and Roguekiller seems can't delete it.
Here's my report using the latest. I've tried everything from antivrus to superantimalware and combofix but nothing seems to remove it. It gives me headache. Pls help. Also I noticed my screen have a stain if I have a malware and now my broadband stick does not display the correct color for speed connection.

RogueKiller V9.2.11.0 [Sep 9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Remove -- Date : 09/19/2014 03:38:18

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A773825-CD3A-43AA-B6FF-1A6A9E969E5E} | NameServer : 121.1.3.74 121.1.3.89 -> REPLACED ()

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 7 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : Unknown @ 0x8bd70b16
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8bd70b20
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8bd70b1b
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8bd70b25
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8bd70b2a
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8bd70b3e
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8bd70b43

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_SCN_08252014_140738.log
RKreport_SCN_08252014_142050.log - RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log - RKreport_SCN_08252014_144747.log
RKreport_SCN_08252014_145755.log - RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log - RKreport_SCN_08262014_231328.log
RKreport_SCN_08262014_232051.log - RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log - RKreport_SCN_08272014_011227.log
RKreport_SCN_08292014_192743.log - RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log - RKreport_SCN_08302014_192425.log
RKreport_SCN_08302014_195223.log - RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log - RKreport_SCN_08302014_221353.log
RKreport_SCN_08312014_024930.log - RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log - RKreport_SCN_08312014_130415.log
RKreport_SCN_08312014_150328.log - RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log - RKreport_SCN_08312014_211802.log
RKreport_SCN_09032014_000512.log - RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log - RKreport_SCN_09042014_200927.log
RKreport_SCN_09042014_201302.log - RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log - RKreport_SCN_09052014_010749.log
RKreport_SCN_09052014_025055.log - RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log - RKreport_SCN_09052014_122730.log
RKreport_SCN_09062014_102110.log - RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log - RKreport_SCN_09062014_195228.log
RKreport_SCN_09062014_205845.log - RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log - RKreport_SCN_09072014_000755.log
RKreport_SCN_09072014_001743.log - RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log - RKreport_SCN_09072014_004252.log
RKreport_SCN_09072014_005346.log - RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log - RKreport_SCN_09072014_014936.log
RKreport_SCN_09072014_020349.log - RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log - RKreport_SCN_09072014_031936.log
RKreport_SCN_09072014_033119.log - RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log - RKreport_SCN_09072014_172715.log
RKreport_SCN_09072014_173754.log - RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log - RKreport_SCN_09072014_175853.log
RKreport_SCN_09072014_180410.log - RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log - RKreport_SCN_09072014_182132.log
RKreport_SCN_09072014_182717.log - RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log - RKreport_SCN_09072014_185443.log
RKreport_SCN_09072014_201050.log - RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log - RKreport_SCN_09082014_175721.log
RKreport_SCN_09082014_181234.log - RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log - RKreport_SCN_09102014_003309.log
RKreport_SCN_09122014_184727.log - RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log - RKreport_SCN_09132014_031123.log
RKreport_SCN_09132014_033024.log - RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log - RKreport_SCN_09182014_161214.log
RKreport_SCN_09182014_162655.log - RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log

RaiZZZ19 · « **Reply #1 on:** September 19, 2014, 08:47:15 AM »

Here's a 2nd scan with more detection

Code: [Select]

RogueKiller V9.2.11.0 [Sep  9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Scan -- Date : 09/19/2014  14:28:03

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A773825-CD3A-43AA-B6FF-1A6A9E969E5E} | NameServer : 121.1.3.74 121.1.3.89  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 23 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962e8c
[SSDT:Addr(Hook.SSDT)] NtCreateThread[78] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1963010
[SSDT:Addr(Hook.SSDT)] NtMakeTemporaryObject[174] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962e02
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196312e
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8bd70b20
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196324e
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8bd70b25
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f94c
[SSDT:Addr(Hook.SSDT)] NtSetSystemTime[319] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195fb02
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8bd70b2a
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8bd70ab7
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962d74
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196102e
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196309e
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallTwoParam[334] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1961d0a
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f2f6
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f292
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195eece
[ShwSSDT:Addr(Hook.Shadow)] NtUserQueryWindow[504] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195ecce
[ShwSSDT:Addr(Hook.Shadow)] NtUserSendInput[525] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1961cb4
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8bd70b3e
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8bd70b43
[ShwSSDT:Addr(Hook.Shadow)] NtUserSwitchDesktop[582] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195e99c

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_DEL_09192014_033818.log
RKreport_SCN_08252014_140738.log - RKreport_SCN_08252014_142050.log - RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log
RKreport_SCN_08252014_144747.log - RKreport_SCN_08252014_145755.log - RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log
RKreport_SCN_08262014_231328.log - RKreport_SCN_08262014_232051.log - RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log
RKreport_SCN_08272014_011227.log - RKreport_SCN_08292014_192743.log - RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log
RKreport_SCN_08302014_192425.log - RKreport_SCN_08302014_195223.log - RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log
RKreport_SCN_08302014_221353.log - RKreport_SCN_08312014_024930.log - RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log
RKreport_SCN_08312014_130415.log - RKreport_SCN_08312014_150328.log - RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log
RKreport_SCN_08312014_211802.log - RKreport_SCN_09032014_000512.log - RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log
RKreport_SCN_09042014_200927.log - RKreport_SCN_09042014_201302.log - RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log
RKreport_SCN_09052014_010749.log - RKreport_SCN_09052014_025055.log - RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log
RKreport_SCN_09052014_122730.log - RKreport_SCN_09062014_102110.log - RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log
RKreport_SCN_09062014_195228.log - RKreport_SCN_09062014_205845.log - RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log
RKreport_SCN_09072014_000755.log - RKreport_SCN_09072014_001743.log - RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log
RKreport_SCN_09072014_004252.log - RKreport_SCN_09072014_005346.log - RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log
RKreport_SCN_09072014_014936.log - RKreport_SCN_09072014_020349.log - RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log
RKreport_SCN_09072014_031936.log - RKreport_SCN_09072014_033119.log - RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log
RKreport_SCN_09072014_172715.log - RKreport_SCN_09072014_173754.log - RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log
RKreport_SCN_09072014_175853.log - RKreport_SCN_09072014_180410.log - RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log
RKreport_SCN_09072014_182132.log - RKreport_SCN_09072014_182717.log - RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log
RKreport_SCN_09072014_185443.log - RKreport_SCN_09072014_201050.log - RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log
RKreport_SCN_09082014_175721.log - RKreport_SCN_09082014_181234.log - RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log
RKreport_SCN_09102014_003309.log - RKreport_SCN_09122014_184727.log - RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log
RKreport_SCN_09132014_031123.log - RKreport_SCN_09132014_033024.log - RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log
RKreport_SCN_09182014_161214.log - RKreport_SCN_09182014_162655.log - RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log

Tigzy · « **Reply #2 on:** September 19, 2014, 10:05:50 AM »

Indeed, that looks suspicious.
Do you find that file? C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys

RaiZZZ19 · « **Reply #3 on:** September 21, 2014, 12:01:22 PM »

I can't find it. Don't know if its hiding itself. And there are other temp folders (12 & 35) aside from the original temp. How do I fix these?

Tigzy · « **Reply #4 on:** September 21, 2014, 12:11:31 PM »

Does that still happen after a reboot + rescan?
If yes, please scan with Gmer: http://www.gmer.net/

RaiZZZ19 · « **Reply #5 on:** September 21, 2014, 12:24:43 PM »

Yes. And everytime I go to a site I'm directed to cloudfare or other security check. Ok I'll try Gmer.

RaiZZZ19 · « **Reply #6 on:** September 21, 2014, 10:11:41 PM »

Here's the GMER Scan:

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-09-22 04:05:42
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0 232.89GB
Running: gmer.exe; Driver: C:\Users\Rai\AppData\Local\Temp\pwdiqpow.sys

---- System - GMER 2.1 ----

SSDT 8BD31CFE ZwCreateSection
SSDT 8BD31D08 ZwRequestWaitReplyPort
SSDT 8BD31D03 ZwSetContextThread
SSDT 8BD31D0D ZwSetSecurityObject
SSDT 8BD31D12 ZwSystemDebugControl
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8F690640]

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!KeSetEvent + 215 840FC860 4 Bytes [FE, 1C, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 539 840FCB84 4 Bytes [08, 1D, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 56D 840FCBB8 4 Bytes [03, 1D, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 5D1 840FCC1C 4 Bytes [0D, 1D, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 619 840FCC64 4 Bytes [12, 1D, D3, 8B]
.text ...

---- Devices - GMER 2.1 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622 0xD1 0x07 0xB8 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x00 0x21 0x5B 0xCF ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622 0xD1 0x07 0xB8 0x75 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x00 0x21 0x5B 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622 0xD1 0x07 0xB8 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x00 0x21 0x5B 0xCF ...

---- EOF - GMER 2.1 ----

Tigzy · « **Reply #7 on:** September 22, 2014, 09:02:09 AM »

Can you try to see if there's the driver file in TMP folder within Gmer? (there's a directory explorer)
If you see it, please rename the file. That's weird, at least a hidden service should be existing...

RaiZZZ19 · « **Reply #8 on:** September 22, 2014, 11:07:02 AM »

I think I downloaded the .exe that doesn't need to install. and the driver file your mentioning is in that installer. I downloaded the non installer bec. it doesnt let me download the installer. So I'll try again.

RaiZZZ19 · « **Reply #9 on:** September 22, 2014, 11:18:06 AM »

I've downloaded both and both are only .exe file. So I open with 7z but all files I found are digits and sys file. It basically runs and doesnt need to install so I don't know where that tmp folder your talking about.

Tigzy · « **Reply #10 on:** September 22, 2014, 11:30:47 AM »

It's a little confusing to me.

Quote

I think I downloaded the .exe that doesn't need to install. and the driver file your mentioning is in that installer. I downloaded the non installer bec. it doesnt let me download the installer. So I'll try again.

Installer of what program?

RaiZZZ19 · « **Reply #11 on:** September 22, 2014, 11:41:59 AM »

I'm a little confused because I can't find where it was installed. I go to that site and downloaded it. It was in zip and inside is Gmer.exe and another but no zip and named with a combination of numbers and letters. It's just double click then you start to scan. But it did say in the site that it installed somewhere and you can delete it. Maybe I'm missing something here. Anyway I'm scanning for the 2nd time so maybe I did something wrong on the 1st scan.

Tigzy · « **Reply #12 on:** September 22, 2014, 11:45:55 AM »

On the site, just click on button "Download exe"
It's standalone tool, no installation.

RaiZZZ19 · « **Reply #13 on:** September 23, 2014, 01:01:23 PM »

Yeah that's what I did. So that not to confuse I made a new scan with Roguekiller and after that
is Gmer. Here's a pic and the report;
But may I ask, is the highlighted in orange [SSDT] a good thing or a bad thing and if it's bad
can it be removed? And from another pic there's these stains from the top screen which I
believed is caused by malware. The changes I found in my laptop are suspicious. On startup
my firewall seems to be always turned off which happened recently and my Broadband stick
is displaying wrong color indication even if the signal is strong. Also I have a game that have
a notepad file which sometimes the contents of it are erased but the file is still there resulting
to the game unable to start.

=============================================================
RogueKiller V9.2.11.0 [Sep 9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Scan -- Date : 09/23/2014 17:01:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 8 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : Unknown @ 0x8c83e11e
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8c83e128
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8c83e123
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8c83e12d
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8c83e132
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8c83e0bf
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8c83e146
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8c83e14b

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_DEL_09192014_033818.log
RKreport_DEL_09192014_142930.log - RKreport_DEL_09192014_184013.log - RKreport_SCN_08252014_140738.log - RKreport_SCN_08252014_142050.log
RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log - RKreport_SCN_08252014_144747.log - RKreport_SCN_08252014_145755.log
RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log - RKreport_SCN_08262014_231328.log - RKreport_SCN_08262014_232051.log
RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log - RKreport_SCN_08272014_011227.log - RKreport_SCN_08292014_192743.log
RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log - RKreport_SCN_08302014_192425.log - RKreport_SCN_08302014_195223.log
RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log - RKreport_SCN_08302014_221353.log - RKreport_SCN_08312014_024930.log
RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log - RKreport_SCN_08312014_130415.log - RKreport_SCN_08312014_150328.log
RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log - RKreport_SCN_08312014_211802.log - RKreport_SCN_09032014_000512.log
RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log - RKreport_SCN_09042014_200927.log - RKreport_SCN_09042014_201302.log
RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log - RKreport_SCN_09052014_010749.log - RKreport_SCN_09052014_025055.log
RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log - RKreport_SCN_09052014_122730.log - RKreport_SCN_09062014_102110.log
RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log - RKreport_SCN_09062014_195228.log - RKreport_SCN_09062014_205845.log
RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log - RKreport_SCN_09072014_000755.log - RKreport_SCN_09072014_001743.log
RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log - RKreport_SCN_09072014_004252.log - RKreport_SCN_09072014_005346.log
RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log - RKreport_SCN_09072014_014936.log - RKreport_SCN_09072014_020349.log
RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log - RKreport_SCN_09072014_031936.log - RKreport_SCN_09072014_033119.log
RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log - RKreport_SCN_09072014_172715.log - RKreport_SCN_09072014_173754.log
RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log - RKreport_SCN_09072014_175853.log - RKreport_SCN_09072014_180410.log
RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log - RKreport_SCN_09072014_182132.log - RKreport_SCN_09072014_182717.log
RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log - RKreport_SCN_09072014_185443.log - RKreport_SCN_09072014_201050.log
RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log - RKreport_SCN_09082014_175721.log - RKreport_SCN_09082014_181234.log
RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log - RKreport_SCN_09102014_003309.log - RKreport_SCN_09122014_184727.log
RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log - RKreport_SCN_09132014_031123.log - RKreport_SCN_09132014_033024.log
RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log - RKreport_SCN_09182014_161214.log - RKreport_SCN_09182014_162655.log
RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log - RKreport_SCN_09192014_142803.log - RKreport_SCN_09192014_150406.log
RKreport_SCN_09192014_183936.log - RKreport_SCN_09222014_183836.log

==================================================================

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-09-23 17:37:51
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0 232.89GB
Running: gmer.exe; Driver: C:\Users\Rai\AppData\Local\Temp\pwdiqpow.sys

---- System - GMER 2.1 ----

SSDT 8C83E11E ZwCreateSection
SSDT 8C83E128 ZwRequestWaitReplyPort
SSDT 8C83E123 ZwSetContextThread
SSDT 8C83E12D ZwSetSecurityObject
SSDT 8C83E132 ZwSystemDebugControl
SSDT 8C83E0BF ZwTerminateProcess

---- Devices - GMER 2.1 ----

Device \Driver\USBSTOR -> DriverStartIo \Device\0000008e BE034F26
Device \Driver\USBSTOR \Device\0000008e BE03EFC8
Device \Driver\USBSTOR -> DriverStartIo \Device\0000008f BE034F26
Device \Driver\USBSTOR \Device\0000008f BE03EFC8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys

Device \Driver\hwdatacard \Device\QCUSB_COM10_2 BE1C3A3C

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys

Device \Driver\hwdatacard \Device\QCUSB_COM11_3 BE1C3A3C
Device \Driver\hwdatacard \Device\QCUSB_COM9_1 BE1C3A3C
Device \Driver\USBSTOR -> DriverStartIo \Device\00000090 BE034F26
Device \Driver\USBSTOR \Device\00000090 BE03EFC8
Device \Driver\USBSTOR -> DriverStartIo \Device\00000091 BE034F26
Device \Driver\USBSTOR \Device\00000091 BE03EFC8

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622 0xD1 0x07 0xB8 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x00 0x21 0x5B 0xCF ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622 0xD1 0x07 0xB8 0x75 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x00 0x21 0x5B 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622 0xD1 0x07 0xB8 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x00 0x21 0x5B 0xCF ...

---- EOF - GMER 2.1 ----

Tigzy · « **Reply #14 on:** September 23, 2014, 01:21:08 PM »

Ok, it looks like the key is gone.
In orange is suspicious, but by experience it's not malware.
And you can't remove it, just ignore that.

Author Topic: Can't be deleted possible malware (Read 20162 times)

RaiZZZ19

Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

Tigzy

Re: Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

Tigzy

Re: Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

Tigzy

Re: Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

Tigzy

Re: Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

Tigzy

Re: Can't be deleted possible malware

RaiZZZ19

Re: Can't be deleted possible malware

Tigzy

Re: Can't be deleted possible malware