jayjay99 Posted August 12, 2014 ID:865695 Share Posted August 12, 2014 Hi! After several months of non-use I updated a bunch of software including the Java plug-in. Tried to get rid of the pesky payload without success. Windows Version Installer keeps popping up. Have run Rogue Killer and have the following log: RogueKiller V9.2.6.0 [Jul 11 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : ING [Admin rights]Mode : Scan -- Date : 08/12/2014 14:08:03 ¤¤¤ Bad processes : 1 ¤¤¤[suspicious.Path] (SVC) servervo -- C:\Users\ING\AppData\Roaming\VOPackage\VOsrv.exe[-] -> STOPPED ¤¤¤ Registry Entries : 12 ¤¤¤[suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | BigDog305 : C:\Windows\VM305_STI.EXE USB PC Camera VC305 -> FOUND[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\servervo -> FOUND[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\servervo -> FOUND[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\servervo -> FOUND[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3404179652-3976374348-2591870498-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13945;https=127.0.0.1:13945 -> FOUND[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3404179652-3976374348-2591870498-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13945;https=127.0.0.1:13945 -> FOUND[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3404179652-3976374348-2591870498-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3404179652-3976374348-2591870498-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤+++++ PhysicalDrive0: WDC WD10EALX-229BA0 ATA Device +++++--- User ---[MBR] 18b1fce4b2db1c4af291bab08f7bda61[bSP] dc96e5d8ffecd3a4f406bec3e2552dce : Windows Vista/7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 853667 MB2 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 1748723710 | Size: 100000 MBUser = LL1 ... OKUser = LL2 ... OK +++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) Have not deleted anything. Will appreciate advice on the next steps. RKreport_SCN_08122014_140803.log Link to post Share on other sites More sharing options...
daledoc1 Posted August 12, 2014 ID:865699 Share Posted August 12, 2014 Hello and : We can't work review scan logs or work on malware diagnostics and removal in this sub-section of the forum.So, for expert assistance, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.A malware analyst will guide you through the cleanup process.Thanks, Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now