fr8pil8

RogueKiller V10.0.5.0 [Nov 11 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Safe mode with network support User : Al & Mindy [Administrator] Mode : Scan -- Date : 11/12/2014 20:39:34 ¤¤¤ Processes : 2 ¤¤¤ [Tr.Poweliks] dllhost.exe -- [x] -> Killed [TermProc] [Tr.Poweliks] dllhost.exe -- C:\Windows\system32\dllhost.exe[7] -> Killed [TermThr] ¤¤¤ Registry : 28 ¤¤¤ [Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD (\SystemRoot\system32\drivers\afd.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found [PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> Found [PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> Found [PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found [PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found [PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.SearchPage] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [Tr.Poweliks] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] aba52d45b8e1f2adf216397c6e932b8c [bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB 2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB 3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB User = LL1 ... OK Error reading LL2 MBR! ([57] The parameter is incorrect. ) +++++ PhysicalDrive1: +++++ --- User --- [MBR] 15185c225eb6fb0a3de71f124a83710c [bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Empty MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive5: +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_DEL_07082014_161306.log - RKreport_DEL_07082014_161932.log - RKreport_DEL_07082014_171247.log - RKreport_DEL_07112014_205900.log RKreport_SCN_07062014_124132.log - RKreport_SCN_07082014_135217.log - RKreport_SCN_07082014_155330.log - RKreport_SCN_07082014_161843.log RKreport_SCN_07082014_170715.log - RKreport_SCN_07082014_173605.log - RKreport_SCN_07092014_171156.log - RKreport_SCN_07112014_103613.log RKreport_SCN_07112014_205735.log

That did the trick, although the malware still affects the computer (1,500,000K in dllhost items) The scan hung up when it was trying to look at restore points. After 5 min I tried to shut the program down, but somehow that got it to continue. Here are the logs... Addition_12-11-2014_20-20-58.txt FRST_12-11-2014_20-21-06.txt

Disregard the last msg...tried to downlod FRST from your link and got a "you can't do that" boxed msg: C:\Users\....\Downloads\FRST.exe is not a valid Win32 application. Then I found the original link to FRST32 on the Bleepingcomputer site and got the same message. I think this malware is driving this message. I know it won't let me run CCleaner nor will it let me use windows system restore. I'll try again in safe mode and see if that makes a difference.

Are these in lieu of RogueKiller and Farbar, or would you like those also?

Running in Normal windows mode the Threat scan that normally takes about 30 minutes ran a whopping 3+20. Nothing was found. As a side note, the PUM.BadProxy that you and I tried to get rid of several months ago is an exclusion to the scan. I included the protection log for today along with the Threat scan. I'll get right to work on your other instructions. 11Nov Scan2.txt MBThreatScan11-12.txt

"ff5ee.com" .............guess that's ffsee.com

Got Malwarebytes started and received a malicious website blocked msg, Domain: ff5ee.com. Don't know if this is part of the problem?

Hey Mr. C...I was hoping I wouldn't have to seek your help again, at least not so soon. I'll run your list.

Norton 360 first identified this infection on Nov 6 and has "removed the infection" two or three times a day since. Unfortunately, their removal doesn't work. I am experiencing the multiple dllhost.exe processes. At one point today, one of them was using in excess of 900,000 K of memory, with two others above 400,000 K. Memory usage was above 95% for several minutes. Malwarebytes has not reported it. I am using Vista 32. After researching this topic I can see that I need help from a pro...

Thanks for all the hard work MrC...

Safe mode yields the same log..."can't find the path specified"

Ran the scan twice and got the same result: Results have been copied to checkup.txt, which should open... now! The system cannot find the path specified. The system cannot find the path specified.

MrC...thanks for all the effort. I think for now I'll just ignore it if you're sure it's a harmless (annoying) PUB. As for all the programs I've downloaded trying to kill this dang thing, are there any special removal options I might need to follow? I use Revo uninstaller to delete unwanted programs...think that will be sufficient? Again, appreciate all your work. I'll put a little something in the PayPal cookie jar

That did the trick: zoek-results.log

Second try seems to have hung up also. Both scans got stalled at the "Documents DB Check"

Sorry, missed your post...the problem was there several months before (first log was actually back in April, which suprised me).

zoek has been running now for almost 24 hrs. I think it's safe to say it has frozen up. I can't close the program, even with task manager, so I'm guessing I'll have to manually shut down the computer and maybe try running zoek again...thoughts...

OOPS, Zoek is still running-DOH! I'll repost.

My modem is only two weeks old...do I really need to reset it? Panda Cleaner found a few things which I deleted. Zoek didn't seem to find anything: zoek-results.log

I had reset IE while in safe mode as per the 'malwaretips' article. Still in safe mode I ran ADW Cleaner, twice. Both times the scan showed nothing...no files, folders or anything from the registry listed...all lines in all categories were blank, as if I hadn't run the scan. Just ran RougeKiller in normal and both the PUB.Proxy files were back. 7-11RKreport_SCN_07112014_205735.log I deleted them.

Had a minute before work...no PUM.Proxy files found. 7-11RKreport_SCN_07112014_103613.log

Thanks MrC...I'll get on this tonight

Ran aswMBR again, right clicked on MBR.dat and chose "send to/ compressed zip file" and this is what I got: MBR.zip If that isn't what we need, I'm going to need help on sending a zip file.

That zip didn't seem to work...at least I couldn't open it into anything coherent. Still working on it