Author Topic: help with rogue killer  (Read 8428 times)

0 Members and 1 Guest are viewing this topic.

October 25, 2014, 04:51:05 AM

dsdave

  • Guest
help with rogue killer
« on: October 25, 2014, 04:51:05 AM »
I am having trouble with malware.  I am unable to remove it.
I am not sure what to do with my scan  see log below

RogueKiller V10.0.3.0 (x64) [Oct 16 2014] by Adlice Software


Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Mode : Scan -- Date : 10/24/2014  22:31:21

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 12 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-

7695ECA05670} -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page :

http://my.earthlink.net/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page :

http://my.earthlink.net/  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page :

http://www.earthlink.net/partner/more/msie/button/search.html  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page :

http://www.earthlink.net/partner/more/msie/button/search.html  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-

3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-

3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-

3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-

3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 | (default) : C:\Users\Dave\AppData

\Local\Temp\sypcdjt\shoimqs\wow64.dll  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 12 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\SysWOW64\drivers\Afc.sys)
[IAT:Addr] (explorer.exe @ systemcpl.dll) NETAPI32.dll - DsRoleFreeMemory : C:\Windows\system32\dsrole.dll @ 0x7fefa701438
[IAT:Addr] (explorer.exe @ systemcpl.dll) NETAPI32.dll - DsRoleGetPrimaryDomainInformation : C:\Windows\system32\dsrole.dll @ 0x7fefa701010
[IAT:Addr] (explorer.exe @ systemcpl.dll) NETAPI32.dll - NetServerGetInfo : C:\Windows\system32\srvcli.dll @ 0x7fefcbb1968
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLOpen : C:\Windows\system32\SPPC.DLL @ 0x7feecda85c4
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetLicensingStatusInformation : C:\Windows\system32\SPPC.DLL @ 0x7feecdaaab4
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetSLIDList : C:\Windows\system32\SPPC.DLL @ 0x7feecda9c44
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetPKeyInformation : C:\Windows\system32\SPPC.DLL @ 0x7feecdaa974
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLClose : C:\Windows\system32\SPPC.DLL @ 0x7feecda86f0
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLGetProductSkuInformation : C:\Windows\system32\SPPC.DLL @ 0x7feecdaa8e0
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLRegisterEvent : C:\Windows\system32\SPPC.DLL @ 0x7feecdab218
[IAT:Addr] (explorer.exe @ systemcpl.dll) slc.dll - SLUnregisterEvent : C:\Windows\system32\SPPC.DLL @ 0x7feecdab2d0

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EALX-759BA1 ATA Device +++++
--- User ---
[MBR] f34cea7fc3572047967e5a164204959f
[BSP] b8cb3719ab429628921f061261d02737 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15166 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31141888 | Size: 938662 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Reply #1October 25, 2014, 09:10:16 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help with rogue killer
« Reply #1 on: October 25, 2014, 09:10:16 AM »
What if you press "Delete"?

Reply #2October 25, 2014, 03:36:22 PM

dsdave

  • Guest
Re: help with rogue killer
« Reply #2 on: October 25, 2014, 03:36:22 PM »
cleans up a bit:  still have 7 reg errors.
mal ware still blocking attacks
next step

Reply #3October 25, 2014, 04:52:53 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help with rogue killer
« Reply #3 on: October 25, 2014, 04:52:53 PM »
Can you please give the removal report?

Reply #4October 25, 2014, 05:41:51 PM

dsdave

  • Guest
Re: help with rogue killer
« Reply #4 on: October 25, 2014, 05:41:51 PM »
sure: thanks
¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.earthlink.net/partner/more/msie/button/search.html  -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.earthlink.net/partner/more/msie/button/search.html  -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 10 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\SysWOW64\drivers\Afc.sys)
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x3410550
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x34105d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x34105b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x3410530
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x34105f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x3410610
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x3410630
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x3410570
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x3410590

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EALX-759BA1 ATA Device +++++
--- User ---
[MBR] f34cea7fc3572047967e5a164204959f
[BSP] b8cb3719ab429628921f061261d02737 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15166 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31141888 | Size: 938662 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_10242014_230833.log - RKreport_DEL_10242014_231214.log - RKreport_SCN_10242014_223121.log - RKreport_SCN_10242014_230612.log
RKreport_SCN_10252014_091725.log - RKreport_DEL_10252014_092559.log - RKreport_DEL_10252014_092656.log - RKreport_SCN_10252014_093027.log

Reply #5October 25, 2014, 05:48:53 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help with rogue killer
« Reply #5 on: October 25, 2014, 05:48:53 PM »
I don't see where the BHO is removed :/
Is it still here after a scan?

Reply #6October 25, 2014, 08:33:46 PM

dsdave

  • Guest
Re: help with rogue killer
« Reply #6 on: October 25, 2014, 08:33:46 PM »
not sire what bmo, but I reran  report. 


Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : [Administrator]
Mode : Delete -- Date : 10/25/2014  14:31:22

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | 1025_1159925229422 : "C:\Users\Dave\AppData\Local\LMIR0001.tmp_r.bat" [-] -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-207551002-3351654577-3550033736-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 19 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\SysWOW64\drivers\Afc.sys)
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x2e10310
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x2e10390
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x2e10370
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x2e102f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x2e103b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x2e103d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x2e103f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x2e10330
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x2e10350
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x2f901d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x2f90250
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x2f90230
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x2f901b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x2f90270
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x2f90290
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x2f902b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x2f901f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x2f90210

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EALX-759BA1 ATA Device +++++
--- User ---
[MBR] f34cea7fc3572047967e5a164204959f
[BSP] b8cb3719ab429628921f061261d02737 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15166 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31141888 | Size: 938662 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_10242014_230833.log - RKreport_DEL_10242014_231214.log - RKreport_DEL_10252014_092559.log - RKreport_DEL_10252014_092656.log
RKreport_DEL_10252014_093244.log - RKreport_DEL_10252014_093827.log - RKreport_DEL_10252014_093841.log - RKreport_SCN_10242014_223121.log
RKreport_SCN_10242014_230612.log - RKreport_SCN_10252014_091725.log - RKreport_SCN_10252014_093027.log - RKreport_SCN_10252014_143037.log

Reply #7October 26, 2014, 09:17:28 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help with rogue killer
« Reply #7 on: October 26, 2014, 09:17:28 AM »
So what's the problem?  :)