Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


RogueKiller Scan - Help

  • Please log in to reply
1 reply to this topic

#1 sousliac


  • Members
  • 1 posts
  • Local time:01:16 PM

Posted 01 April 2014 - 02:14 PM



I have a suspicious entry that keeps appearing in a RogueKiller scan:

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : ה' יעזור [Admin rights]
Mode : Scan -- Date : 04/01/2014 13:50:50
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 5 ¤¤¤
[All Users][SUSP UNIC] HP Digital Imaging Monitor.lnk : C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\HP Digital Imaging Monitor.lnk @C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [-][7] -> FOUND
[All Users][SUSP UNIC] HP Photosmart Premier Fast Start.lnk : C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\HP Photosmart Premier Fast Start.lnk @C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s [-][-] -> FOUND
[All Users][SUSP UNIC] McAfee Security Scan Plus.lnk : C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\McAfee Security Scan Plus.lnk @C:\PROGRA~1\MCAFEE~1\38B0E9~1.141\SSSCHE~1.EXE [-][7] -> FOUND
[Guest][SUSP UNIC] 34EE9A.lnk : C:\Documents and Settings\Guest\תפריט התחלה\תוכניות\הפעלה\34EE9A.lnk @C:\WINDOWS\system32\9743CA\34EE9A.EXE [-][x] -> FOUND
[ה' יעזור][SUSP UNIC] Dropbox.lnk : C:\Documents and Settings\ה' יעזור\תפריט התחלה\תוכניות\הפעלה\Dropbox.lnk @C:\DOCUME~1\'EC25~1\APPLIC~1\Dropbox\bin\Dropbox.exe /systemstartup [-][7] -> FOUND

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts       localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) Seagate ST1000DM003-9YN1 SCSI Disk Device +++++
--- User ---
[MBR] 23cf3d4b13bae1b3aeee9f53bdf7169d
[BSP] 70a36ad79fda64ea2ce68247b01e5247 : Windows XP MBR Code

Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 312530 MB
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 640061730 | Size: 641337 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] ????????? ?????. )
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Verbatim STORE N GO USB Device +++++
--- User ---
[MBR] 1d6dee63691aa8c4e727b1d0147d4df1
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code

Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15282 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] ??????? ???? ?????. )
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) EPSON Storage USB Device +++++
--- User ---
[MBR] fa6d13ad7179118f4fed64408274dacd
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code

Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 135 | Size: 1884 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] ??????? ???? ?????. )

Finished : << RKreport[0]_S_04012014_135050.txt >>

This is the suspicious entry:

[Guest][SUSP UNIC] 34EE9A.lnk : C:\Documents and Settings\Guest\תפריט התחלה\תוכניות\הפעלה\34EE9A.lnk @C:\WINDOWS\system32\9743CA\34EE9A.EXE [-][x] -> FOUND

I've tried to delete this entry, first by checking to see if 34EE9A.EXE exists in the C:\WINDOWS\system32\9743CA directory.  The directory is present, but nothing is showing inside, with "attrib *.*" outputting "File Not Found".


To be sure it wasn't just detecting the orphaned shortcut, I went into "C:\Documents and Settings\Guest\", but there I don't see a "34" directory.


Here is a screen shot of a "dir /a":




Please mind the gibberish letters as this is not an English WinXP installation.


TDSSKiller was already run with loaded modules (Nothing found), MalwareBytes found "Trojan.FAKEMS" in c:\windows\system32\wmiadap.exe, but successfully cleaned it (I think it was something hooking into the process).


Thank you very much for your help.

BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,738 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:16 AM

Posted 01 April 2014 - 05:48 PM

Welcome aboard p22002758.gif


RogueKiller is not allowed in this forum.


Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users