Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RogueKiller Findings


  • This topic is locked This topic is locked
4 replies to this topic

#1 CorruptCoW

CorruptCoW

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 13 October 2014 - 09:27 AM

After a problem was identified and (possibly) resolved in another thread in the "Am I infected" forum on this site, it was suggested I do a couple scans of my system using TDSSKillier and RogueKiller to identify remnents of the original problem (or something totally unrelated).

 

I'm not experiencing any crippling symptoms, but I do experience these oddities:

 

- when using Windows Explorer, it will crash if I attempt to open folders from the left pane of the window. I can only drill down into folders using the right pane. (http://www.bleepingcomputer.com/forums/t/511270/shell32dll-causing-windows-explorer-crash/?view=findpost&p=3185230). I hadn't tried all the solutions suggested there as their are some heavy duty time commitments required to do them properly. I might live with the inconvenience. (Maybe a Windows 7 repair will resolve?)

- my mouse is very jumpy

- I'm unable to install Nvidia device drivers without Windows crashing on startup.

 

TDSSKilller came up clear of any threats, however, RogueKiller generated this log with what I believe may be problems.

 

Is anyone able to provide some assistance on what I should do, if anything, at this point?

 

RogueKiller Log:

 

RogueKiller V10.0.1.0 (x64) [Oct 10 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : ******** [Administrator]
Mode : Scan -- Date : 10/13/2014  10:10:52

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3094640726-3561608692-1966403301-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:21320  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3094640726-3561608692-1966403301-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:21320  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3094640726-3561608692-1966403301-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3094640726-3561608692-1966403301-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 6 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] 2dlnaijw.default : user_pref("network.proxy.type", 4); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Y9A0 ATA Device +++++
--- User ---
[MBR] 2f2daa508fcbdda13de8a4c62dfb4475
[BSP] 17015d155d5310b3a9053ca6a36dab8a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 953868 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD10EARX-32N0YB0 ATA Device +++++
--- User ---
[MBR] 775f0d1bb9bd58abab884ac88e342c2c
[BSP] ce651d0e47b26c72ed305982be240aa4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WDC WD10EZEX-00RKKA0 ATA Device +++++
--- User ---
[MBR] e1d5f739655332e7a89e58f1873d0f3b
[BSP] e06095efbaf19dd722c1cd76f461d153 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: WD My Book 1230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_09272014_103949.log



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 14 October 2014 - 04:57 AM

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 CorruptCoW

CorruptCoW
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 14 October 2014 - 09:50 AM

TB-Psychotic,

 

Thank you for taking the time to reply, the offer to assist despite my violations, and the stern warning. These applications have been rarely used, installed more out of curiousity than practicality, and have been permanently removed from my system through reformatting of my drive and the reinstallation of my operating system. The dangers of using software of this type was not fully appreciated at the time it was considered, but has since now demonstrated its inherit qualities enough for me to want to avoid it. I can only provide you with words, but I assure all such software has been eliminated with no desire to reinstall. My punishment is the embarassment and the daunting task of re-installation. I feel a ban is warranted.

 

Thanks again.



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 16 October 2014 - 09:10 AM

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please attach this file to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 07 November 2014 - 03:16 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users