fr8pil8
Honorary Members-
Posts
66 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by fr8pil8
-
RogueKiller V10.0.5.0 [Nov 11 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Safe mode with network support User : Al & Mindy [Administrator] Mode : Scan -- Date : 11/12/2014 20:39:34 ¤¤¤ Processes : 2 ¤¤¤ [Tr.Poweliks] dllhost.exe -- [x] -> Killed [TermProc] [Tr.Poweliks] dllhost.exe -- C:\Windows\system32\dllhost.exe[7] -> Killed [TermThr] ¤¤¤ Registry : 28 ¤¤¤ [Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD (\SystemRoot\system32\drivers\afd.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found [PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> Found [PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> Found [PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found [PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found [PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.SearchPage] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [Tr.Poweliks] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] aba52d45b8e1f2adf216397c6e932b8c [bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB 2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB 3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB User = LL1 ... OK Error reading LL2 MBR! ([57] The parameter is incorrect. ) +++++ PhysicalDrive1: +++++ --- User --- [MBR] 15185c225eb6fb0a3de71f124a83710c [bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Empty MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive5: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_DEL_07082014_161306.log - RKreport_DEL_07082014_161932.log - RKreport_DEL_07082014_171247.log - RKreport_DEL_07112014_205900.log RKreport_SCN_07062014_124132.log - RKreport_SCN_07082014_135217.log - RKreport_SCN_07082014_155330.log - RKreport_SCN_07082014_161843.log RKreport_SCN_07082014_170715.log - RKreport_SCN_07082014_173605.log - RKreport_SCN_07092014_171156.log - RKreport_SCN_07112014_103613.log RKreport_SCN_07112014_205735.log
-
That did the trick, although the malware still affects the computer (1,500,000K in dllhost items) The scan hung up when it was trying to look at restore points. After 5 min I tried to shut the program down, but somehow that got it to continue. Here are the logs... Addition_12-11-2014_20-20-58.txt FRST_12-11-2014_20-21-06.txt
-
Disregard the last msg...tried to downlod FRST from your link and got a "you can't do that" boxed msg: C:\Users\....\Downloads\FRST.exe is not a valid Win32 application. Then I found the original link to FRST32 on the Bleepingcomputer site and got the same message. I think this malware is driving this message. I know it won't let me run CCleaner nor will it let me use windows system restore. I'll try again in safe mode and see if that makes a difference.
-
Are these in lieu of RogueKiller and Farbar, or would you like those also?
-
Running in Normal windows mode the Threat scan that normally takes about 30 minutes ran a whopping 3+20. Nothing was found. As a side note, the PUM.BadProxy that you and I tried to get rid of several months ago is an exclusion to the scan. I included the protection log for today along with the Threat scan. I'll get right to work on your other instructions. 11Nov Scan2.txt MBThreatScan11-12.txt
-
"ff5ee.com" .............guess that's ffsee.com
-
Got Malwarebytes started and received a malicious website blocked msg, Domain: ff5ee.com. Don't know if this is part of the problem?
-
Hey Mr. C...I was hoping I wouldn't have to seek your help again, at least not so soon. I'll run your list.
-
Norton 360 first identified this infection on Nov 6 and has "removed the infection" two or three times a day since. Unfortunately, their removal doesn't work. I am experiencing the multiple dllhost.exe processes. At one point today, one of them was using in excess of 900,000 K of memory, with two others above 400,000 K. Memory usage was above 95% for several minutes. Malwarebytes has not reported it. I am using Vista 32. After researching this topic I can see that I need help from a pro...
-
Thanks for all the hard work MrC...
-
Safe mode yields the same log..."can't find the path specified"
-
Ran the scan twice and got the same result: Results have been copied to checkup.txt, which should open... now! The system cannot find the path specified. The system cannot find the path specified.
-
MrC...thanks for all the effort. I think for now I'll just ignore it if you're sure it's a harmless (annoying) PUB. As for all the programs I've downloaded trying to kill this dang thing, are there any special removal options I might need to follow? I use Revo uninstaller to delete unwanted programs...think that will be sufficient? Again, appreciate all your work. I'll put a little something in the PayPal cookie jar
-
That did the trick: zoek-results.log
-
Second try seems to have hung up also. Both scans got stalled at the "Documents DB Check"
-
Sorry, missed your post...the problem was there several months before (first log was actually back in April, which suprised me).
-
zoek has been running now for almost 24 hrs. I think it's safe to say it has frozen up. I can't close the program, even with task manager, so I'm guessing I'll have to manually shut down the computer and maybe try running zoek again...thoughts...
-
OOPS, Zoek is still running-DOH! I'll repost.
-
My modem is only two weeks old...do I really need to reset it? Panda Cleaner found a few things which I deleted. Zoek didn't seem to find anything: zoek-results.log
-
I had reset IE while in safe mode as per the 'malwaretips' article. Still in safe mode I ran ADW Cleaner, twice. Both times the scan showed nothing...no files, folders or anything from the registry listed...all lines in all categories were blank, as if I hadn't run the scan. Just ran RougeKiller in normal and both the PUB.Proxy files were back. 7-11RKreport_SCN_07112014_205735.log I deleted them.
-
Had a minute before work...no PUM.Proxy files found. 7-11RKreport_SCN_07112014_103613.log
-
Thanks MrC...I'll get on this tonight
-
Ran aswMBR again, right clicked on MBR.dat and chose "send to/ compressed zip file" and this is what I got: MBR.zip If that isn't what we need, I'm going to need help on sending a zip file.
-
That zip didn't seem to work...at least I couldn't open it into anything coherent. Still working on it