Author Topic: Can't be deleted possible malware  (Read 19440 times)

0 Members and 1 Guest are viewing this topic.

September 18, 2014, 09:51:55 PM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Can't be deleted possible malware
« on: September 18, 2014, 09:51:55 PM »
I had trouble dealing with this because I don't know if it's a malware or not and Roguekiller seems can't delete it.
Here's my report using the latest. I've tried everything from antivrus to superantimalware and combofix but nothing seems to remove it. It gives me headache. Pls help. Also I noticed my screen have a stain if I have a malware and now my broadband stick does not display the correct color for speed connection.

RogueKiller V9.2.11.0 [Sep  9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Remove -- Date : 09/19/2014  03:38:18

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A773825-CD3A-43AA-B6FF-1A6A9E969E5E} | NameServer : 121.1.3.74 121.1.3.89  -> REPLACED ()

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 7 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : Unknown @ 0x8bd70b16
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8bd70b20
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8bd70b1b
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8bd70b25
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8bd70b2a
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8bd70b3e
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8bd70b43

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_SCN_08252014_140738.log
RKreport_SCN_08252014_142050.log - RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log - RKreport_SCN_08252014_144747.log
RKreport_SCN_08252014_145755.log - RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log - RKreport_SCN_08262014_231328.log
RKreport_SCN_08262014_232051.log - RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log - RKreport_SCN_08272014_011227.log
RKreport_SCN_08292014_192743.log - RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log - RKreport_SCN_08302014_192425.log
RKreport_SCN_08302014_195223.log - RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log - RKreport_SCN_08302014_221353.log
RKreport_SCN_08312014_024930.log - RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log - RKreport_SCN_08312014_130415.log
RKreport_SCN_08312014_150328.log - RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log - RKreport_SCN_08312014_211802.log
RKreport_SCN_09032014_000512.log - RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log - RKreport_SCN_09042014_200927.log
RKreport_SCN_09042014_201302.log - RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log - RKreport_SCN_09052014_010749.log
RKreport_SCN_09052014_025055.log - RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log - RKreport_SCN_09052014_122730.log
RKreport_SCN_09062014_102110.log - RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log - RKreport_SCN_09062014_195228.log
RKreport_SCN_09062014_205845.log - RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log - RKreport_SCN_09072014_000755.log
RKreport_SCN_09072014_001743.log - RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log - RKreport_SCN_09072014_004252.log
RKreport_SCN_09072014_005346.log - RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log - RKreport_SCN_09072014_014936.log
RKreport_SCN_09072014_020349.log - RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log - RKreport_SCN_09072014_031936.log
RKreport_SCN_09072014_033119.log - RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log - RKreport_SCN_09072014_172715.log
RKreport_SCN_09072014_173754.log - RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log - RKreport_SCN_09072014_175853.log
RKreport_SCN_09072014_180410.log - RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log - RKreport_SCN_09072014_182132.log
RKreport_SCN_09072014_182717.log - RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log - RKreport_SCN_09072014_185443.log
RKreport_SCN_09072014_201050.log - RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log - RKreport_SCN_09082014_175721.log
RKreport_SCN_09082014_181234.log - RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log - RKreport_SCN_09102014_003309.log
RKreport_SCN_09122014_184727.log - RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log - RKreport_SCN_09132014_031123.log
RKreport_SCN_09132014_033024.log - RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log - RKreport_SCN_09182014_161214.log
RKreport_SCN_09182014_162655.log - RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log

Reply #1September 19, 2014, 08:47:15 AM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #1 on: September 19, 2014, 08:47:15 AM »
Here's a 2nd scan with more detection

Code: [Select]
RogueKiller V9.2.11.0 [Sep  9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Scan -- Date : 09/19/2014  14:28:03

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A773825-CD3A-43AA-B6FF-1A6A9E969E5E} | NameServer : 121.1.3.74 121.1.3.89  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 23 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962e8c
[SSDT:Addr(Hook.SSDT)] NtCreateThread[78] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1963010
[SSDT:Addr(Hook.SSDT)] NtMakeTemporaryObject[174] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962e02
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196312e
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8bd70b20
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196324e
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8bd70b25
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f94c
[SSDT:Addr(Hook.SSDT)] NtSetSystemTime[319] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195fb02
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8bd70b2a
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8bd70ab7
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1962d74
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196102e
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb196309e
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallTwoParam[334] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1961d0a
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f2f6
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195f292
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195eece
[ShwSSDT:Addr(Hook.Shadow)] NtUserQueryWindow[504] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195ecce
[ShwSSDT:Addr(Hook.Shadow)] NtUserSendInput[525] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb1961cb4
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8bd70b3e
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8bd70b43
[ShwSSDT:Addr(Hook.Shadow)] NtUserSwitchDesktop[582] : C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys @ 0xb195e99c

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_DEL_09192014_033818.log
RKreport_SCN_08252014_140738.log - RKreport_SCN_08252014_142050.log - RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log
RKreport_SCN_08252014_144747.log - RKreport_SCN_08252014_145755.log - RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log
RKreport_SCN_08262014_231328.log - RKreport_SCN_08262014_232051.log - RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log
RKreport_SCN_08272014_011227.log - RKreport_SCN_08292014_192743.log - RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log
RKreport_SCN_08302014_192425.log - RKreport_SCN_08302014_195223.log - RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log
RKreport_SCN_08302014_221353.log - RKreport_SCN_08312014_024930.log - RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log
RKreport_SCN_08312014_130415.log - RKreport_SCN_08312014_150328.log - RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log
RKreport_SCN_08312014_211802.log - RKreport_SCN_09032014_000512.log - RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log
RKreport_SCN_09042014_200927.log - RKreport_SCN_09042014_201302.log - RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log
RKreport_SCN_09052014_010749.log - RKreport_SCN_09052014_025055.log - RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log
RKreport_SCN_09052014_122730.log - RKreport_SCN_09062014_102110.log - RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log
RKreport_SCN_09062014_195228.log - RKreport_SCN_09062014_205845.log - RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log
RKreport_SCN_09072014_000755.log - RKreport_SCN_09072014_001743.log - RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log
RKreport_SCN_09072014_004252.log - RKreport_SCN_09072014_005346.log - RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log
RKreport_SCN_09072014_014936.log - RKreport_SCN_09072014_020349.log - RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log
RKreport_SCN_09072014_031936.log - RKreport_SCN_09072014_033119.log - RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log
RKreport_SCN_09072014_172715.log - RKreport_SCN_09072014_173754.log - RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log
RKreport_SCN_09072014_175853.log - RKreport_SCN_09072014_180410.log - RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log
RKreport_SCN_09072014_182132.log - RKreport_SCN_09072014_182717.log - RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log
RKreport_SCN_09072014_185443.log - RKreport_SCN_09072014_201050.log - RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log
RKreport_SCN_09082014_175721.log - RKreport_SCN_09082014_181234.log - RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log
RKreport_SCN_09102014_003309.log - RKreport_SCN_09122014_184727.log - RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log
RKreport_SCN_09132014_031123.log - RKreport_SCN_09132014_033024.log - RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log
RKreport_SCN_09182014_161214.log - RKreport_SCN_09182014_162655.log - RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log

Reply #2September 19, 2014, 10:05:50 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Can't be deleted possible malware
« Reply #2 on: September 19, 2014, 10:05:50 AM »
Indeed, that looks suspicious.
Do you find that file? C:\Users\Rai\AppData\Local\Temp\B098834F4D.sys

Reply #3September 21, 2014, 12:01:22 PM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #3 on: September 21, 2014, 12:01:22 PM »
I can't find it. Don't know if its hiding itself. And there are other temp folders (12 & 35) aside from the original temp. How do I fix these?

Reply #4September 21, 2014, 12:11:31 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Can't be deleted possible malware
« Reply #4 on: September 21, 2014, 12:11:31 PM »
Does that still happen after a reboot + rescan?
If yes, please scan with Gmer: http://www.gmer.net/

Reply #5September 21, 2014, 12:24:43 PM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #5 on: September 21, 2014, 12:24:43 PM »
Yes. And everytime I go to a site I'm directed to cloudfare or other security check. Ok I'll try Gmer.

Reply #6September 21, 2014, 10:11:41 PM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #6 on: September 21, 2014, 10:11:41 PM »
Here's the GMER Scan:

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-09-22 04:05:42
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0 232.89GB
Running: gmer.exe; Driver: C:\Users\Rai\AppData\Local\Temp\pwdiqpow.sys


---- System - GMER 2.1 ----

SSDT            8BD31CFE                                                                                              ZwCreateSection
SSDT            8BD31D08                                                                                              ZwRequestWaitReplyPort
SSDT            8BD31D03                                                                                              ZwSetContextThread
SSDT            8BD31D0D                                                                                              ZwSetSecurityObject
SSDT            8BD31D12                                                                                              ZwSystemDebugControl
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS                                                    ZwTerminateProcess [0x8F690640]

---- Kernel code sections - GMER 2.1 ----

.text           ntkrnlpa.exe!KeSetEvent + 215                                                                         840FC860 4 Bytes  [FE, 1C, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 539                                                                         840FCB84 4 Bytes  [08, 1D, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 56D                                                                         840FCBB8 4 Bytes  [03, 1D, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 5D1                                                                         840FCC1C 4 Bytes  [0D, 1D, D3, 8B]
.text           ntkrnlpa.exe!KeSetEvent + 619                                                                         840FCC64 4 Bytes  [12, 1D, D3, 8B]
.text           ...                                                                                                   

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                               Wdf01000.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                               Wdf01000.sys

---- Registry - GMER 2.1 ----

Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622              0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                0x00 0x21 0x5B 0xCF ...

---- EOF - GMER 2.1 ----

Reply #7September 22, 2014, 09:02:09 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Can't be deleted possible malware
« Reply #7 on: September 22, 2014, 09:02:09 AM »
Can you try to see if there's the driver file in TMP folder within Gmer? (there's a directory explorer)
If you see it, please rename the file. That's weird, at least a hidden service should be existing...

Reply #8September 22, 2014, 11:07:02 AM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #8 on: September 22, 2014, 11:07:02 AM »
I think I downloaded the .exe that doesn't need to install. and the driver file your mentioning is in that installer. I downloaded the non installer bec. it doesnt let me download the installer. So I'll try again.

Reply #9September 22, 2014, 11:18:06 AM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #9 on: September 22, 2014, 11:18:06 AM »
I've downloaded both and both are only .exe file. So I open with 7z but all files I found are digits and sys file. It basically runs and doesnt need to install so I don't know where that tmp folder your talking about.

Reply #10September 22, 2014, 11:30:47 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Can't be deleted possible malware
« Reply #10 on: September 22, 2014, 11:30:47 AM »
It's a little confusing to me.

Quote
I think I downloaded the .exe that doesn't need to install. and the driver file your mentioning is in that installer. I downloaded the non installer bec. it doesnt let me download the installer. So I'll try again.
Installer of what program?

Reply #11September 22, 2014, 11:41:59 AM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #11 on: September 22, 2014, 11:41:59 AM »
I'm a little confused because I can't find where it was installed. I go to that site and downloaded it. It was in zip and inside is Gmer.exe and another but no zip and named with a combination of numbers and letters. It's just double click then you start to scan. But it did say in the site that it installed somewhere and you can delete it. Maybe I'm missing something here. Anyway I'm scanning for the 2nd time so maybe I did something wrong on the 1st scan.

Reply #12September 22, 2014, 11:45:55 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Can't be deleted possible malware
« Reply #12 on: September 22, 2014, 11:45:55 AM »
On the site, just click on button "Download exe"
It's standalone tool, no installation.

Reply #13September 23, 2014, 01:01:23 PM

RaiZZZ19

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Can't be deleted possible malware
« Reply #13 on: September 23, 2014, 01:01:23 PM »
Yeah that's what I did. So that not to confuse I made a new scan with Roguekiller and after that
is Gmer. Here's a pic and the report;
But may I ask, is the highlighted in orange [SSDT] a good thing or a bad thing and if it's bad
can it be removed? And from another pic there's these stains from the top screen which I
believed is caused by malware. The changes I found in my laptop are suspicious. On startup
my firewall seems to be always turned off which happened recently and my Broadband stick
is displaying wrong color indication even if the signal is strong. Also I have a game that have
a notepad file which sometimes the contents of it are erased but the file is still there resulting
to the game unable to start.





=============================================================
RogueKiller V9.2.11.0 [Sep  9 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Rai [Admin rights]
Mode : Scan -- Date : 09/23/2014  17:01:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 8 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtCreateSection[75] : Unknown @ 0x8c83e11e
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[276] : Unknown @ 0x8c83e128
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8c83e123
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[314] : Unknown @ 0x8c83e12d
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[332] : Unknown @ 0x8c83e132
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8c83e0bf
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x8c83e146
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x8c83e14b

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 98500ec2b7b5edecd534cd194c873eea
[BSP] fb2fd27aa6b059f12a8e0326786d723d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 110000 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 225282048 | Size: 128473 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_08252014_141057.log - RKreport_DEL_08252014_142437.log - RKreport_DEL_08252014_143444.log - RKreport_DEL_08252014_144154.log
RKreport_DEL_08252014_144912.log - RKreport_DEL_08252014_150337.log - RKreport_DEL_08262014_231506.log - RKreport_DEL_08262014_232640.log
RKreport_DEL_08262014_234357.log - RKreport_DEL_08292014_192844.log - RKreport_DEL_08302014_192856.log - RKreport_DEL_08302014_215715.log
RKreport_DEL_08312014_125835.log - RKreport_DEL_08312014_130448.log - RKreport_DEL_08312014_163003.log - RKreport_DEL_08312014_163943.log
RKreport_DEL_08312014_211853.log - RKreport_DEL_09042014_052841.log - RKreport_DEL_09042014_201213.log - RKreport_DEL_09042014_203512.log
RKreport_DEL_09052014_010805.log - RKreport_DEL_09052014_032809.log - RKreport_DEL_09062014_192835.log - RKreport_DEL_09062014_193849.log
RKreport_DEL_09062014_210144.log - RKreport_DEL_09072014_000852.log - RKreport_DEL_09072014_002032.log - RKreport_DEL_09072014_003229.log
RKreport_DEL_09072014_004306.log - RKreport_DEL_09072014_012101.log - RKreport_DEL_09072014_013809.log - RKreport_DEL_09072014_015023.log
RKreport_DEL_09072014_020430.log - RKreport_DEL_09072014_021655.log - RKreport_DEL_09072014_022916.log - RKreport_DEL_09072014_031947.log
RKreport_DEL_09072014_033134.log - RKreport_DEL_09072014_170449.log - RKreport_DEL_09072014_171547.log - RKreport_DEL_09072014_172720.log
RKreport_DEL_09072014_173809.log - RKreport_DEL_09072014_174812.log - RKreport_DEL_09072014_175842.log - RKreport_DEL_09072014_180416.log
RKreport_DEL_09072014_180950.log - RKreport_DEL_09072014_181548.log - RKreport_DEL_09072014_182141.log - RKreport_DEL_09072014_182725.log
RKreport_DEL_09072014_183304.log - RKreport_DEL_09072014_184153.log - RKreport_DEL_09072014_185519.log - RKreport_DEL_09072014_201056.log
RKreport_DEL_09072014_222351.log - RKreport_DEL_09072014_230025.log - RKreport_DEL_09082014_180137.log - RKreport_DEL_09082014_195410.log
RKreport_DEL_09092014_024938.log - RKreport_DEL_09102014_003411.log - RKreport_DEL_09122014_184753.log - RKreport_DEL_09122014_185920.log
RKreport_DEL_09122014_223254.log - RKreport_DEL_09132014_031215.log - RKreport_DEL_09192014_022324.log - RKreport_DEL_09192014_033818.log
RKreport_DEL_09192014_142930.log - RKreport_DEL_09192014_184013.log - RKreport_SCN_08252014_140738.log - RKreport_SCN_08252014_142050.log
RKreport_SCN_08252014_143226.log - RKreport_SCN_08252014_144120.log - RKreport_SCN_08252014_144747.log - RKreport_SCN_08252014_145755.log
RKreport_SCN_08252014_151229.log - RKreport_SCN_08252014_181328.log - RKreport_SCN_08262014_231328.log - RKreport_SCN_08262014_232051.log
RKreport_SCN_08262014_234330.log - RKreport_SCN_08272014_005804.log - RKreport_SCN_08272014_011227.log - RKreport_SCN_08292014_192743.log
RKreport_SCN_08292014_193402.log - RKreport_SCN_08292014_235858.log - RKreport_SCN_08302014_192425.log - RKreport_SCN_08302014_195223.log
RKreport_SCN_08302014_215628.log - RKreport_SCN_08302014_220227.log - RKreport_SCN_08302014_221353.log - RKreport_SCN_08312014_024930.log
RKreport_SCN_08312014_030634.log - RKreport_SCN_08312014_125520.log - RKreport_SCN_08312014_130415.log - RKreport_SCN_08312014_150328.log
RKreport_SCN_08312014_162836.log - RKreport_SCN_08312014_163452.log - RKreport_SCN_08312014_211802.log - RKreport_SCN_09032014_000512.log
RKreport_SCN_09042014_052237.log - RKreport_SCN_09042014_123307.log - RKreport_SCN_09042014_200927.log - RKreport_SCN_09042014_201302.log
RKreport_SCN_09042014_203222.log - RKreport_SCN_09042014_225307.log - RKreport_SCN_09052014_010749.log - RKreport_SCN_09052014_025055.log
RKreport_SCN_09052014_032751.log - RKreport_SCN_09052014_033452.log - RKreport_SCN_09052014_122730.log - RKreport_SCN_09062014_102110.log
RKreport_SCN_09062014_192723.log - RKreport_SCN_09062014_193830.log - RKreport_SCN_09062014_195228.log - RKreport_SCN_09062014_205845.log
RKreport_SCN_09062014_215014.log - RKreport_SCN_09062014_234832.log - RKreport_SCN_09072014_000755.log - RKreport_SCN_09072014_001743.log
RKreport_SCN_09072014_003211.log - RKreport_SCN_09072014_003828.log - RKreport_SCN_09072014_004252.log - RKreport_SCN_09072014_005346.log
RKreport_SCN_09072014_012029.log - RKreport_SCN_09072014_013725.log - RKreport_SCN_09072014_014936.log - RKreport_SCN_09072014_020349.log
RKreport_SCN_09072014_021626.log - RKreport_SCN_09072014_022839.log - RKreport_SCN_09072014_031936.log - RKreport_SCN_09072014_033119.log
RKreport_SCN_09072014_170442.log - RKreport_SCN_09072014_171513.log - RKreport_SCN_09072014_172715.log - RKreport_SCN_09072014_173754.log
RKreport_SCN_09072014_174803.log - RKreport_SCN_09072014_175837.log - RKreport_SCN_09072014_175853.log - RKreport_SCN_09072014_180410.log
RKreport_SCN_09072014_180945.log - RKreport_SCN_09072014_181539.log - RKreport_SCN_09072014_182132.log - RKreport_SCN_09072014_182717.log
RKreport_SCN_09072014_183258.log - RKreport_SCN_09072014_183911.log - RKreport_SCN_09072014_185443.log - RKreport_SCN_09072014_201050.log
RKreport_SCN_09072014_222312.log - RKreport_SCN_09072014_230004.log - RKreport_SCN_09082014_175721.log - RKreport_SCN_09082014_181234.log
RKreport_SCN_09082014_195327.log - RKreport_SCN_09092014_024838.log - RKreport_SCN_09102014_003309.log - RKreport_SCN_09122014_184727.log
RKreport_SCN_09122014_185857.log - RKreport_SCN_09122014_223225.log - RKreport_SCN_09132014_031123.log - RKreport_SCN_09132014_033024.log
RKreport_SCN_09142014_163814.log - RKreport_SCN_09162014_155818.log - RKreport_SCN_09182014_161214.log - RKreport_SCN_09182014_162655.log
RKreport_SCN_09192014_022245.log - RKreport_SCN_09192014_033736.log - RKreport_SCN_09192014_142803.log - RKreport_SCN_09192014_150406.log
RKreport_SCN_09192014_183936.log - RKreport_SCN_09222014_183836.log

==================================================================

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-09-23 17:37:51
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0 232.89GB
Running: gmer.exe; Driver: C:\Users\Rai\AppData\Local\Temp\pwdiqpow.sys


---- System - GMER 2.1 ----

SSDT            8C83E11E                                                                                              ZwCreateSection
SSDT            8C83E128                                                                                              ZwRequestWaitReplyPort
SSDT            8C83E123                                                                                              ZwSetContextThread
SSDT            8C83E12D                                                                                              ZwSetSecurityObject
SSDT            8C83E132                                                                                              ZwSystemDebugControl
SSDT            8C83E0BF                                                                                              ZwTerminateProcess

---- Devices - GMER 2.1 ----

Device          \Driver\USBSTOR -> DriverStartIo \Device\0000008e                                                     BE034F26
Device          \Driver\USBSTOR \Device\0000008e                                                                      BE03EFC8
Device          \Driver\USBSTOR -> DriverStartIo \Device\0000008f                                                     BE034F26
Device          \Driver\USBSTOR \Device\0000008f                                                                      BE03EFC8

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                               Wdf01000.sys

Device          \Driver\hwdatacard \Device\QCUSB_COM10_2                                                              BE1C3A3C

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                               Wdf01000.sys

Device          \Driver\hwdatacard \Device\QCUSB_COM11_3                                                              BE1C3A3C
Device          \Driver\hwdatacard \Device\QCUSB_COM9_1                                                               BE1C3A3C
Device          \Driver\USBSTOR -> DriverStartIo \Device\00000090                                                     BE034F26
Device          \Driver\USBSTOR \Device\00000090                                                                      BE03EFC8
Device          \Driver\USBSTOR -> DriverStartIo \Device\00000091                                                     BE034F26
Device          \Driver\USBSTOR \Device\00000091                                                                      BE03EFC8

---- Registry - GMER 2.1 ----

Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622                  0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                       0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                    0x00 0x21 0x5B 0xCF ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556f814e0@02823c0d6622              0xD1 0x07 0xB8 0x75 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                0x00 0x21 0x5B 0xCF ...

---- EOF - GMER 2.1 ----

Reply #14September 23, 2014, 01:21:08 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Can't be deleted possible malware
« Reply #14 on: September 23, 2014, 01:21:08 PM »
Ok, it looks like the key is gone.
In orange is suspicious, but by experience it's not malware.
And you can't remove it, just ignore that.