Jump to content

fr8pil8

Honorary Members
 View Profile  See their activity

  • Posts

    66

  • Joined

  • Last visited

 Content Type 

Everything posted by fr8pil8

  1. fr8pil8
    I am using a router supplied by Comcast (Arris TG862). The aswMBR log aswMBR.txt Haven't used a zip process in years...hope this works MBR.zip
  2. fr8pil8
    Norton360 didn't like aswMBR, so I disabled it, then downloaded the file. After selecting "Run", a pop-up from the aswMBR program gave me the following option: "This computer supports 'Virtualization Technology'. Would you like to use it for rootkit detection? YES/NO" and the correct answer is ...?
  3. fr8pil8
    Evening MrC, RKreport_SCN_07092014_171156.log Rkill 2.6.7 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 07/09/2014 05:27:56 PM in x86 mode. Windows Version: Windows Vista Ultimate Service Pack 2 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * No malware processes found to kill. Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * Windows Defender Disabled [HKLM\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware" = dword:00000001 * Windows Firewall Disabled [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = dword:00000000 Checking Windows Service Integrity: * Windows Defender (WinDefend) is not Running. Startup Type set to: Manual * DFSR [Missing Service] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 localhost Program finished at: 07/09/2014 05:29:00 PM Execution time: 0 hours(s), 1 minute(s), and 4 seconds(s)RKreport_SCN_07092014_171156.log
  4. fr8pil8
    I ran a manual scan last night which showed no problems. This morning my scheduled scan says different...it seems to still be there: 7-9MBlog.txt
  5. fr8pil8
    Making progress...both PUM.Proxy files are gone. Here's the report RogueKiller V9.2.0.0 [Jun 23 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : Al & Mindy [Admin rights] Mode : Scan -- Date : 07/08/2014 17:36:05 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 23 ¤¤¤ [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> FOUND [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher -> FOUND [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> FOUND [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher -> FOUND [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> FOUND [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SessionLauncher -> FOUND [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> FOUND [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> FOUND [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> FOUND [PUM.Policies] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> FOUND [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> FOUND [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> FOUND [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> FOUND [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> FOUND [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_DC29\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_DC29\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 54 (Driver: LOADED) ¤¤¤ [sSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x8914f538 [sSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x8916d070 [sSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x8916ebf8 [sSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x88e66b50 [sSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x8916df38 [sSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x8914f360 [sSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x8916dd30 [sSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x89150ad8 [sSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x8916dfd0 [sSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x8916ed38 [sSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x8916d008 [sSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x8914f408 [sSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x8914f4a0 [sSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x88e66ab8 [sSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x8916d488 [sSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x8914f2c8 [sSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x8916ee88 [sSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x8916eca0 [sSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x8914f198 [sSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x8916ede0 [sSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x8916de90 [sSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x8916d108 [sSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8916d2d0 [sSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x8916d368 [sSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x8914f0e0 [sSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x8914f230 [sSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x8916d1a0 [sSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x89150660 [sSDT:Addr(Hook.SSDT)] NtTerminateThread[335] : Unknown @ 0x8916d238 [sSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x8916d410 [sSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x8916eb30 [sSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x8916ddd8 [shwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x89dc9538 [shwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x89c11050 [shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x89ab6098 [shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x879e2480 [shwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x879e24b8 [shwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x899d35b8 [shwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x89dc93e0 [shwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x89dc9398 [shwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x89c16d48 [shwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x89933a48 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureCreate : C:\Windows\system32\DSOUND.dll @ 0x73f38364 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureCreate8 : C:\Windows\system32\DSOUND.dll @ 0x73f38412 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureEnumerateA : C:\Windows\system32\DSOUND.dll @ 0x73f38a6e [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureEnumerateW : C:\Windows\system32\DSOUND.dll @ 0x73f38a8b [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCreate : C:\Windows\system32\DSOUND.dll @ 0x73f27a61 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCreate8 : C:\Windows\system32\DSOUND.dll @ 0x73f16d48 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundEnumerateA : C:\Windows\system32\DSOUND.dll @ 0x73f38a34 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundEnumerateW : C:\Windows\system32\DSOUND.dll @ 0x73f38a51 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundFullDuplexCreate : C:\Windows\system32\DSOUND.dll @ 0x73f384cc [EAT:Addr] (iexplore.exe) audioeng.dll - DllCanUnloadNow : C:\Windows\system32\DSOUND.dll @ 0x73f3c6d3 [EAT:Addr] (iexplore.exe) audioeng.dll - DllGetClassObject : C:\Windows\system32\DSOUND.dll @ 0x73f286d4 [EAT:Addr] (iexplore.exe) audioeng.dll - GetDeviceID : C:\Windows\system32\DSOUND.dll @ 0x73f38200 ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ARRAY +++++ --- User --- [MBR] aba52d45b8e1f2adf216397c6e932b8c [bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB 2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB 3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB User = LL1 ... OK Error reading LL2 MBR! ([57] The parameter is incorrect. ) +++++ PhysicalDrive1: Seagate FA GoFlex Desk USB Device +++++ --- User --- [MBR] 15185c225eb6fb0a3de71f124a83710c [bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Unknown MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: DELL USB HS-CF Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: DELL USB HS-xD/SM USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: DELL USB HS-MS Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive5: DELL USB HS-SD Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_DEL_07082014_161306.log - RKreport_DEL_07082014_161932.log - RKreport_DEL_07082014_171247.log - RKreport_SCN_07062014_124132.log RKreport_SCN_07082014_135217.log - RKreport_SCN_07082014_155330.log - RKreport_SCN_07082014_161843.log - RKreport_SCN_07082014_170715.log
  6. fr8pil8
    Result: one shows deleted, the other says "error"? Anyway... RogueKiller V9.2.0.0 [Jun 23 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : Al & Mindy [Admin rights] Mode : Remove -- Date : 07/08/2014 17:12:47 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 21 ¤¤¤ [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SessionLauncher -> NOT SELECTED [PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> DELETED [PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> ERROR [2] [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> NOT SELECTED [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> NOT SELECTED [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> NOT SELECTED [PUM.Policies] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED [PUM.Policies] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> NOT SELECTED [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> NOT SELECTED ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 54 (Driver: LOADED) ¤¤¤ [sSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x8914f538 [sSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x8916d070 [sSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x8916ebf8 [sSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x88e66b50 [sSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x8916df38 [sSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x8914f360 [sSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x8916dd30 [sSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x89150ad8 [sSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x8916dfd0 [sSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x8916ed38 [sSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x8916d008 [sSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x8914f408 [sSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x8914f4a0 [sSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x88e66ab8 [sSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x8916d488 [sSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x8914f2c8 [sSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x8916ee88 [sSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x8916eca0 [sSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x8914f198 [sSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x8916ede0 [sSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x8916de90 [sSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x8916d108 [sSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8916d2d0 [sSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x8916d368 [sSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x8914f0e0 [sSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x8914f230 [sSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x8916d1a0 [sSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x89150660 [sSDT:Addr(Hook.SSDT)] NtTerminateThread[335] : Unknown @ 0x8916d238 [sSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x8916d410 [sSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x8916eb30 [sSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x8916ddd8 [shwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x89dc9538 [shwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x89c11050 [shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x89ab6098 [shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x879e2480 [shwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x879e24b8 [shwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x899d35b8 [shwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x89dc93e0 [shwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x89dc9398 [shwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x89c16d48 [shwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x89933a48 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureCreate : C:\Windows\system32\DSOUND.dll @ 0x73f38364 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureCreate8 : C:\Windows\system32\DSOUND.dll @ 0x73f38412 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureEnumerateA : C:\Windows\system32\DSOUND.dll @ 0x73f38a6e [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureEnumerateW : C:\Windows\system32\DSOUND.dll @ 0x73f38a8b [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCreate : C:\Windows\system32\DSOUND.dll @ 0x73f27a61 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCreate8 : C:\Windows\system32\DSOUND.dll @ 0x73f16d48 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundEnumerateA : C:\Windows\system32\DSOUND.dll @ 0x73f38a34 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundEnumerateW : C:\Windows\system32\DSOUND.dll @ 0x73f38a51 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundFullDuplexCreate : C:\Windows\system32\DSOUND.dll @ 0x73f384cc [EAT:Addr] (iexplore.exe) audioeng.dll - DllCanUnloadNow : C:\Windows\system32\DSOUND.dll @ 0x73f3c6d3 [EAT:Addr] (iexplore.exe) audioeng.dll - DllGetClassObject : C:\Windows\system32\DSOUND.dll @ 0x73f286d4 [EAT:Addr] (iexplore.exe) audioeng.dll - GetDeviceID : C:\Windows\system32\DSOUND.dll @ 0x73f38200 ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] aba52d45b8e1f2adf216397c6e932b8c [bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB 2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB 3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB User = LL1 ... OK Error reading LL2 MBR! ([57] The parameter is incorrect. ) +++++ PhysicalDrive1: Seagate FA GoFlex Desk USB Device +++++ --- User --- [MBR] 15185c225eb6fb0a3de71f124a83710c [bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Unknown MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: DELL USB HS-CF Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: DELL USB HS-xD/SM USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: DELL USB HS-MS Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive5: DELL USB HS-SD Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_DEL_07082014_161306.log - RKreport_DEL_07082014_161932.log - RKreport_SCN_07062014_124132.log - RKreport_SCN_07082014_135217.log RKreport_SCN_07082014_155330.log - RKreport_SCN_07082014_161843.log - RKreport_SCN_07082014_170715.log
  7. fr8pil8
    Done...here's the resultant log: RogueKiller V9.2.0.0 [Jun 23 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : Al & Mindy [Admin rights] Mode : Remove -- Date : 07/08/2014 16:19:32 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 25 ¤¤¤ [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> NOT SELECTED [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SessionLauncher -> NOT SELECTED [PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> NOT SELECTED [PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> NOT SELECTED [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> NOT SELECTED [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> NOT SELECTED [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 -> NOT SELECTED [PUM.Policies] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED [PUM.Policies] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> NOT SELECTED [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> NOT SELECTED [PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> NOT SELECTED [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_60FD\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_60FD\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 54 (Driver: LOADED) ¤¤¤ [sSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x8914f538 [sSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x8916d070 [sSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x8916ebf8 [sSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x88e66b50 [sSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x8916df38 [sSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x8914f360 [sSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x8916dd30 [sSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x89150ad8 [sSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x8916dfd0 [sSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x8916ed38 [sSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x8916d008 [sSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x8914f408 [sSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x8914f4a0 [sSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x88e66ab8 [sSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x8916d488 [sSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x8914f2c8 [sSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x8916ee88 [sSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x8916eca0 [sSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x8914f198 [sSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x8916ede0 [sSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x8916de90 [sSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x8916d108 [sSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x8916d2d0 [sSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x8916d368 [sSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x8914f0e0 [sSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x8914f230 [sSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x8916d1a0 [sSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x89150660 [sSDT:Addr(Hook.SSDT)] NtTerminateThread[335] : Unknown @ 0x8916d238 [sSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x8916d410 [sSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x8916eb30 [sSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x8916ddd8 [shwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x89dc9538 [shwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x89c11050 [shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x89ab6098 [shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x879e2480 [shwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x879e24b8 [shwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x899d35b8 [shwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x89dc93e0 [shwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x89dc9398 [shwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x89c16d48 [shwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x89933a48 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureCreate : C:\Windows\system32\DSOUND.dll @ 0x73f38364 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureCreate8 : C:\Windows\system32\DSOUND.dll @ 0x73f38412 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureEnumerateA : C:\Windows\system32\DSOUND.dll @ 0x73f38a6e [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCaptureEnumerateW : C:\Windows\system32\DSOUND.dll @ 0x73f38a8b [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCreate : C:\Windows\system32\DSOUND.dll @ 0x73f27a61 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundCreate8 : C:\Windows\system32\DSOUND.dll @ 0x73f16d48 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundEnumerateA : C:\Windows\system32\DSOUND.dll @ 0x73f38a34 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundEnumerateW : C:\Windows\system32\DSOUND.dll @ 0x73f38a51 [EAT:Addr] (iexplore.exe) audioeng.dll - DirectSoundFullDuplexCreate : C:\Windows\system32\DSOUND.dll @ 0x73f384cc [EAT:Addr] (iexplore.exe) audioeng.dll - DllCanUnloadNow : C:\Windows\system32\DSOUND.dll @ 0x73f3c6d3 [EAT:Addr] (iexplore.exe) audioeng.dll - DllGetClassObject : C:\Windows\system32\DSOUND.dll @ 0x73f286d4 [EAT:Addr] (iexplore.exe) audioeng.dll - GetDeviceID : C:\Windows\system32\DSOUND.dll @ 0x73f38200 ¤¤¤ Web browsers : 3 ¤¤¤ [PUM.Proxy][FIREFX:Config] x2ofst8b.default : user_pref("network.proxy.http", "127.0.0.1"); -> DELETED [PUM.Proxy][FIREFX:Config] x2ofst8b.default : user_pref("network.proxy.http_port", 5555); -> DELETED [PUM.Proxy][FIREFX:Config] x2ofst8b.default : user_pref("network.proxy.type", 4); -> REPLACED (0) ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ARRAY +++++ --- User --- [MBR] aba52d45b8e1f2adf216397c6e932b8c [bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB 2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB 3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB User = LL1 ... OK Error reading LL2 MBR! ([57] The parameter is incorrect. ) +++++ PhysicalDrive1: Seagate FA GoFlex Desk USB Device +++++ --- User --- [MBR] 15185c225eb6fb0a3de71f124a83710c [bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Unknown MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: DELL USB HS-CF Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: DELL USB HS-xD/SM USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: DELL USB HS-MS Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive5: DELL USB HS-SD Card USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_SCN_07062014_124132.log - RKreport_SCN_07082014_135217.log - RKreport_SCN_07082014_155330.log - RKreport_DEL_07082014_161306.log RKreport_SCN_07082014_161843.log
  8. fr8pil8
    Got redirected to this page after the scan: was I supposed to turn off my antivirus (Norton 360) before the scan? If you land here from RogueKiller… …This is because RogueKiller has detected a SSDT hook. Don’t panic. Most of the time, they are made by antiviruses to protect your computer. However, most of antiviruses drivers are whitelisted in RogueKiller, so either the driver is not known (please verify by typing it on Google, -example: klif.sys = Kaspersky-) or the the module is a real malware (if you didn’t find anything on it on Google, or worst, you found bad things), or because the module has not been identified (shellcoded outsided of any module), the module is named “Unknown”. In this last case, If nothing else has been found by RogueKiller, just skip it. Some antiviruses can use shellcodes to protect their driver too.
  9. fr8pil8
    7-8RKlog.txt
  10. fr8pil8
    RATS...still there: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/8/2014 Scan Time: 9:30:45 AM Logfile: MBlog7-8.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.07.08.06 Rootkit Database: v2014.07.07.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows Vista Service Pack 2 CPU: x86 File System: NTFS User: Al & Mindy Scan Type: Threat Scan Result: Completed Objects Scanned: 371070 Time Elapsed: 6 min, 52 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Warn PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5555, , [c2542e6fdf9c85b1dc8ee595d72c758b] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)
  11. fr8pil8
    Dang, can't believe I forgot that log...might have run the program twice. Here is the info: AdwCleanerR0.txt AdwCleanerS0.txt Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/7/2014 Scan Time: 5:57:32 PM Logfile: MBlog7-7.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.07.07.09 Rootkit Database: v2014.07.07.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows Vista Service Pack 2 CPU: x86 File System: NTFS User: Al & Mindy Scan Type: Threat Scan Result: Completed Objects Scanned: 372458 Time Elapsed: 8 min, 44 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5555, Quarantined, [d0e6cfcd6f0cdc5ac7c4e198b64d718f] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)
  12. fr8pil8
    Threat scan still shows PUM.BAD.PROXY...sent to quarantine.
  13. fr8pil8
    Just ran JRT-twice. On the first pass, after backing up the registry, the black box program area showed several repeat lines of something like: Can't find the specified path. It then said that a "bad module was found...press Y to reboot or n to reboot later". I chose to reboot. On the reboot the program seemed to be working checking the registry, etc. Then it closed, but no report showed up and I am unable to find it anywhere. I ran it a second time and got the same bad module info, and rebooted. The program area loaded to the desktop but failed to run (waited about five minutes). I still can't find any hint of a txt file that JRT might have generated.
  14. fr8pil8
    Here's the Rkill file: Rkill 2.6.7 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 07/07/2014 05:11:56 PM in x86 mode. Windows Version: Windows Vista Ultimate Service Pack 2 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * No malware processes found to kill. Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * Windows Defender Disabled [HKLM\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware" = dword:00000001 * Windows Firewall Disabled [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = dword:00000000 Checking Windows Service Integrity: * Windows Defender (WinDefend) is not Running. Startup Type set to: Manual * DFSR [Missing Service] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 localhost Program finished at: 07/07/2014 05:12:34 PM Execution time: 0 hours(s), 0 minute(s), and 37 seconds(s)
  15. fr8pil8
    Found two more logs: TDSSKiller.3.0.0.39_07.07.2014_14.18.07_log.txtTDSSKiller.3.0.0.39_07.07.2014_14.29.12_log.txt I'll start running the other programs...thanks
  16. fr8pil8
    MrC, here are the requested scans: TDSSKiller.3.0.0.39_07.07.2014_14.08.22_log.txt ComboFix.txt
  17. fr8pil8
    RKreport.txtJust sent you a PM just in case I wasn't able to get things together soon enough. Here's the RougeKiller info in Word.txt form...I hope it's sufficient.
  18. fr8pil8
    I first noticed this non-malware about two months ago. It appears on every scan and, as you know, the quarentine function doesn't resolve the issue. I've attached the two logs from FRST as well as a log of my latest MB Pro scan: FRST.txtAddition.txtMBLog7-5.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.