Jump to content

Need help detecting a problem Windows Version Installer


Recommended Posts

I realize this is malware and found the real name and uninstalled it from add remove programs however, to be on the safe side I installed Rogue Killer and need help reading the scan file. Also some advice on how to proceed would be appreciated. Thank you! 

 

RogueKiller V9.2.3.0 [Jul 11 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Laura-Casper [Admin rights]
Mode : Scan -- Date : 07/16/2014  13:23:52
 
¤¤¤ Bad processes : 1 ¤¤¤
[suspicious.Path] (SVC) VOsrv -- C:\Users\Laura-Casper\AppData\Roaming\VOPackage\VOsrv.exe[-] -> STOPPED
 
¤¤¤ Registry Entries : 13 ¤¤¤
[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VOsrv -> FOUND
[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VOsrv -> FOUND
[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VOsrv -> FOUND
[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51266;https=127.0.0.1:51266  -> FOUND
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51266;https=127.0.0.1:51266  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.5.1 64.134.255.2 64.134.255.10  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{841D2EC6-1486-4F3F-997D-6CC9F4535845} | DhcpNameServer : 192.168.5.1 64.134.255.2 64.134.255.10  -> FOUND
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2798006588-802444297-2930434412-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2798006588-802444297-2930434412-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
 
¤¤¤ Scheduled tasks : 7 ¤¤¤
[suspicious.Path] Digital Sites.job -- C:\Users\LAURA-~1\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND
[suspicious.Path] MySearchDial.job -- C:\Users\LAURA-~1\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND
[suspicious.Path] UpdaterEX.job -- C:\Users\LAURA-~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND
[suspicious.Path] \\Digital Sites -- C:\Users\LAURA-~1\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND
[suspicious.Path] \\MySearchDial -- C:\Users\LAURA-~1\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND
[suspicious.Path] \\UpdaterEX -- C:\Users\LAURA-~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND
[suspicious.Path] \\VisualBeeRecovery -- C:\Users\Laura-Casper\AppData\Local\VisualBeeExe\VisualBeeRecovery.exe (/s) -> FOUND
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\DRIVERS\ibmpmdrv.sys)
 
¤¤¤ Web browsers : 1 ¤¤¤
[PUP][iE:Addon] System : MixiDJ V30 Toolbar [{1122b43d-30ee-403f-9bfa-3cc99b0caddd}] -> FOUND
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK1234GSX ATA Device +++++
--- User ---
[MBR] 1dbbf8153e7721361471de9240378496
[bSP] c897e25d6d535fdfd5bbc380566c5aca : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 7237 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 14823424 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 15028224 | Size: 107134 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
Link to post
Share on other sites

Hi & :welcome:

My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully. :excl:

  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
frst.pngfrstscan.png

Please download Farbar Recovery Scan Tool and save it to your Desktop.

(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.