Author Topic: [Split]1st Time Using RogueKiller, Don't Know What To Remove  (Read 15452 times)

0 Members and 2 Guests are viewing this topic.

April 20, 2015, 07:33:01 AM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
[Split]1st Time Using RogueKiller, Don't Know What To Remove
« on: April 20, 2015, 07:33:01 AM »
RogueKiller V10.5.10.0 (x64) [Apr 14 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Leety [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 04/20/2015  10:29:15

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \\Origin -- C:\Users\Leety\AppData\Roaming\Origin\update.vbe -> ERROR


¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] b002a17c1e68a5888fc3fca59c91a4a2
[BSP] cae03e6ffda7b01661dd3c9bc604aa9a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04202015_102659.log - RKreport_DEL_04202015_102743.log - RKreport_DEL_04202015_102747.log - RKreport_DEL_04202015_102751.log
RKreport_DEL_04202015_102753.log - RKreport_DEL_04202015_102758.log - RKreport_DEL_04202015_102809.log - RKreport_DEL_04202015_102812.log
RKreport_DEL_04202015_102816.log - RKreport_DEL_04202015_102911.log
Leety

Reply #1April 21, 2015, 10:23:30 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #1 on: April 21, 2015, 10:23:30 PM »
Hi leety,

Welcome to Adlice.com Forum.

Is your ISP located in Pakistan ?
Please locate the following file, zip it and attach it with your next reply.
Quote
C:\Users\Leety\AppData\Roaming\Origin\update.vbe

Regards.

NOTE : Your post has been splitted in a new thread for clarity.

Reply #2April 26, 2015, 12:46:34 PM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #2 on: April 26, 2015, 12:46:34 PM »
Yes. I live in Pakistan. Here's the file. By the way I got susp and ran this file and Defender popped a message which said it's cleaning malware.
Leety

Reply #3April 26, 2015, 05:22:53 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #3 on: April 26, 2015, 05:22:53 PM »
Hi leety,

Please restart RogueKiller and select the following entries for deletion :
Quote
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ESEADriver2 (\??\C:\Users\Leety\AppData\Local\Temp\ESEADriver2.sys)
[Suspicious.Path] \\Origin -- C:\Users\Leety\AppData\Roaming\Origin\update.vbe
Please copy/paste the report obtained in your next reply.

Regards.

Reply #4April 27, 2015, 04:46:55 PM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #4 on: April 27, 2015, 04:46:55 PM »
Ok I deleted these 3 entries, the after report looks like this.

RogueKiller V10.5.10.0 (x64) [Apr 14 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Leety [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 04/27/2015  19:46:21

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] NvOAWrapperCache.exe(4720) -- C:\Users\Leety\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 8 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8FC09021-95CA-4B71-9826-6D888162FDDE} | DhcpNameServer : 42.201.255.26 [PAKISTAN (PK)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D6582575-DD30-41CF-B966-E0B648A21B39} | NameServer : 42.201.255.131 42.201.255.26 [PAKISTAN (PK)][PAKISTAN (PK)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] b002a17c1e68a5888fc3fca59c91a4a2
[BSP] cae03e6ffda7b01661dd3c9bc604aa9a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04202015_102659.log - RKreport_DEL_04202015_102743.log - RKreport_DEL_04202015_102747.log - RKreport_DEL_04202015_102751.log
RKreport_DEL_04202015_102753.log - RKreport_DEL_04202015_102758.log - RKreport_DEL_04202015_102809.log - RKreport_DEL_04202015_102812.log
RKreport_DEL_04202015_102816.log - RKreport_DEL_04202015_102911.log - RKreport_DEL_04202015_102915.log - RKreport_SCN_04262015_153813.log
RKreport_SCN_04262015_155125.log - RKreport_SCN_04272015_194155.log - RKreport_DEL_04272015_194259.log
Leety

Reply #5April 27, 2015, 06:04:20 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #5 on: April 27, 2015, 06:04:20 PM »
Hi leety,

Your report is clean.
How is the computer running ?

Regards.

Reply #6September 06, 2015, 11:35:06 AM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #6 on: September 06, 2015, 11:35:06 AM »
Thanks alot for your help. It was working fine then once again I noticed 99% diskusage in the Task Manager just when I run Google Chrome a mysterious "svchost.exe" file appears with no apparent Program name which is located in the Windows/Temp folder of mine. I ran Malwarebytes since I'm on Windows 10 now, but I wasn't satisfied so I'm installing RogueKiller again, let's see what happens. I post you a report on a new topic or this one?
Leety

Reply #7September 07, 2015, 01:25:57 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #7 on: September 07, 2015, 01:25:57 PM »
Hi leety,

You can post the report in this thread.
No need to create a new one.

Regards.

Reply #8September 09, 2015, 02:39:31 AM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #8 on: September 09, 2015, 02:39:31 AM »
RogueKiller V10.10.4.0 (x64) [Sep  4 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : Leety [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 09/09/2015 05:38:30

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 5 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Lightshot : C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8a4bb498-b0b0-44bc-ae58-9388f5795601} | DhcpNameServer : 42.201.255.26 ([PAKISTAN (PK)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FE3A53D7-3C41-47F2-A8BE-84B7AEB36906} | NameServer : 42.201.255.130 42.201.255.26 ([PAKISTAN (PK)][PAKISTAN (PK)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8a4bb498-b0b0-44bc-ae58-9388f5795601} | DhcpNameServer : 42.201.255.26 ([PAKISTAN (PK)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FE3A53D7-3C41-47F2-A8BE-84B7AEB36906} | NameServer : 42.201.255.130 42.201.255.26 ([PAKISTAN (PK)][PAKISTAN (PK)])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] b002a17c1e68a5888fc3fca59c91a4a2
[BSP] cae03e6ffda7b01661dd3c9bc604aa9a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
Leety

Reply #9September 11, 2015, 01:43:23 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #9 on: September 11, 2015, 01:43:23 PM »
Hi leety,

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Reply #10September 19, 2015, 02:17:03 AM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #10 on: September 19, 2015, 02:17:03 AM »
Here, thanks again.
Leety

Reply #11September 24, 2015, 12:06:34 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #11 on: September 24, 2015, 12:06:34 AM »
Hi tenshi304,

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running ?

Regards.

Reply #12September 26, 2015, 07:50:13 AM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #12 on: September 26, 2015, 07:50:13 AM »
Thanks. I completed the steps from the above posts. PC is running fine actually just before running the Fix I noticed a 55% memory usage with no programs except Google Chrome with one tab open. After the fix & the restart PC is still working fine & memory usage is down to 32~35% with one program & Chrome with 1 Tab open.
Leety

Reply #13September 28, 2015, 04:41:24 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #13 on: September 28, 2015, 04:41:24 PM »
Hi Leety,

Could you please attach the file Fixlog.txt in your next reply ?

Regards.

Reply #14September 28, 2015, 07:03:56 PM

Leety

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: [Split]1st Time Using RogueKiller, Don't Know What To Remove
« Reply #14 on: September 28, 2015, 07:03:56 PM »
Here.
Leety