Author Topic: Root,Wajam removal  (Read 7861 times)

0 Members and 4 Guests are viewing this topic.

May 20, 2018, 01:44:28 PM

burneyboy

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Root,Wajam removal
« on: May 20, 2018, 01:44:28 PM »
Hi all.
So scanning using the free version of RK on my main PC it finds
`Root.Wajam` Process  {3560} svchost.exe, C:Windows\system32\svchost.exe

after the scan has finish RK does not remove it even tho i ask it to,it just says `not killed`.
so i attached the C drive to a laptop off line as an external drive and run the scan there but RK finds nothing,see results:

RogueKiller V12.12.17.0 (x64) [May 14 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mymymy [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/20/2018 10:54:26 (Duration : 00:23:40)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG SSD 830 Series +++++
--- User ---
[MBR] 20cc2867d6ad27fc1bbcd6a6f3071511
[BSP] e2026deed788ef6974619d346073f586 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 219776 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 PRO Seri USB Device +++++
--- User ---
[MBR] 9128758dae42cc7f521c0a393b9de029
[BSP] 64d01f4eb4d3707fccac81bf32decce3 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 219676 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

i was a bit concerned about this:

Error reading LL2 MBR! ([32] The request is not supported. )



so i put the drive back into my main pc and started it up,i ran RK again and it finds Wajam again straight away.

no other tools are finding this Wajam


thanks in advance for any help peope.

burneyboty

Reply #1May 20, 2018, 04:43:51 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Root,Wajam removal
« Reply #1 on: May 20, 2018, 04:43:51 PM »
Hi burneyboy,

Welcome to Adlice.com Forum.
This is likely a false positive on our end. Could you please attach RogueKiller report showing the detection ?

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Reply #2May 20, 2018, 05:03:06 PM

burneyboy

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Root,Wajam removal
« Reply #2 on: May 20, 2018, 05:03:06 PM »
Hi

this is it:

RogueKiller V12.9.2.0 (x64) [Jan  9 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : R [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/20/2018 12:25:02 (Duration : 00:13:12)

¤¤¤ Processes : 1 ¤¤¤
[Root.Wajam] svchost.exe(3560) -- C:\Windows\System32\svchost.exe[7] -> [NoKill]

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG SSD 830 Series ATA Device +++++
--- User ---
[MBR] 8df121645bd3464ed2d060bf914f8c5a
[BSP] 5677b0371b6367ad3c6a3a62f82d3bcf : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 219776 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG SSD 830 Series ATA Device +++++
--- User ---
[MBR] 58a675b0b8e1798fc855994f458cef7c
[BSP] 77cb289577ba0844231bd87e0af80a15 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 244196 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Samsung SSD 840 PRO Series ATA Device +++++
--- User ---
[MBR] 9128758dae42cc7f521c0a393b9de029
[BSP] 64d01f4eb4d3707fccac81bf32decce3 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 219676 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: SanDisk Cruzer Blade USB Device +++++
--- User ---
[MBR] 937130cc663ab3635ad62495e9c199c1
[BSP] 79fdcb6f5787863c0e9a758566d1ae79 : Legit.Unknown MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0xb) [VISIBLE] Offset (sectors): 2048 | Size: 7631 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

thanks for the reply

Reply #3May 20, 2018, 05:23:48 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Root,Wajam removal
« Reply #3 on: May 20, 2018, 05:23:48 PM »
Hi burneyboy,

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Do not copy pas the report directy in your message, please use the "Attach" feature under "Attachments and other options".

Regards.

Reply #4May 20, 2018, 06:45:57 PM

burneyboy

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Root,Wajam removal
« Reply #4 on: May 20, 2018, 06:45:57 PM »
wow what a major ball ache just trying to login here,it put me on an endless loop saying session timed out please go back and try again.
i tried re registering and still the same then eventually found that changing my password got me back here .crikey,

ok heres the files ,thanks for the help

Reply #5May 20, 2018, 06:46:34 PM

burneyboy

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Root,Wajam removal
« Reply #5 on: May 20, 2018, 06:46:34 PM »
and..

Reply #6May 20, 2018, 07:41:43 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Root,Wajam removal
« Reply #6 on: May 20, 2018, 07:41:43 PM »
Hi burneyboy,

Thanks for your feedback.
OK, this is indeed a false positive, we will fix this as soon as possible.

Regards.

Reply #7May 20, 2018, 07:51:17 PM

burneyboy

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Root,Wajam removal
« Reply #7 on: May 20, 2018, 07:51:17 PM »
ok mate thanks that`s good to know as my credit card details were obtained from somewhere last week
i was 99% sure it wasn't from my pc directly with the amount it gets cleaned,scanned and updated i was just curious about this one find.


thanks again for your help.

Reply #8May 20, 2018, 10:15:56 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Root,Wajam removal
« Reply #8 on: May 20, 2018, 10:15:56 PM »
Hi burneyboy,

You are very welcome.
Good luck with your bank.

Regards.