Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit still present after clean install


  • This topic is locked This topic is locked
10 replies to this topic

#1 TwistedZombie

TwistedZombie

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 09 November 2014 - 07:46 AM

Hi 'boopme' asked me to post a dds report in here. Please note the dds files might not be accurate as iexploer was saying I was connecting to an unsafe website and the dds program couldn't be verified on download. This is the original post to give you some background of my problem http://www.bleepingcomputer.com/forums/t/555294/persistent-rootkit/#entry3531413

 

It will be best if I keep the computer offline as much as possible as the 'hacker' will change any fixes i make.

 

Here are the dds files: 

 

Many thanks for any help received.

Attached Files


Edited by TwistedZombie, 09 November 2014 - 11:21 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 14 November 2014 - 10:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/555363 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 TwistedZombie

TwistedZombie
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 16 November 2014 - 11:34 AM

Hi, I've installed window 8 about five times today but a rootkit keeps loading and I can't get rid of it.

 

I have run MBR check and it says I have an unknown MBR and I have run GMER and it says I have a rootkit, this is after I have run KillDisk and done a fresh install every time.

 

I have an original OEM version of Windows 8 64bit

 

I wonder if I should just sell my components and start again?



#4 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,648 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:46 PM

Posted 16 November 2014 - 09:53 PM

Hi TwistedZombie, :)

:welcome:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  • Please do not install any new software while we are working on this system as it may hinder our process.
  • Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  • Please do not try to fix anything without being ask.
  • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
  • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  • If you are confused about any instruction, stop and ask. Do not keep on going.
  • Do not repeat the steps if you face any problems.
  • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
 
  • Step #1 Scan with Farbar Recovery Scan Tool
    • Please download Farbar Recovery Scan Tool by Farbar to your Desktop from the link below.
      Download link for 32 bit system
      Download link for 64 bit system
    • Right-click on the program and choose Run as administrator;
    • Put tick-mark on all boxes under Whitelist and Optional Scan;
    • Click on Scan;
    • After the scan two notepad files will be opened --
      • FRST.txt;
      • Addition.txt
    • Copy and Paste the contents of the logs in your next reply.
  
  • Required Log(s):
    • Farbar's tool log(s)--
      • FRST.txt
      • Addition.txt
    • RogueKiller Log
Regards,
Valinorum

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#5 TwistedZombie

TwistedZombie
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 17 November 2014 - 02:50 PM

Hi there.

 

And many thanks for your time.

 

Please find the logs requested below:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-11-2014 03
Ran by jh (administrator) on HOME on 01-01-2013 00:02:33
Running from C:\Users\jh\Desktop
Loaded Profile: jh (Available profiles: jh)
Platform: Windows 8 Pro (X64) OS Language: English (United Kingdom)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
 
FireFox:
========
 
Chrome: 
=======
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2013-01-01 00:16 - 2013-01-01 00:16 - 00001430 _____ () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-01-01 00:16 - 2013-01-01 00:16 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2013-01-01 00:16 - 2013-01-01 00:16 - 00000000 ____D () C:\Users\jh\AppData\Roaming\Adobe
2013-01-01 00:15 - 2013-01-01 00:16 - 00000000 ____D () C:\Users\jh\AppData\Local\Packages
2013-01-01 00:15 - 2013-01-01 00:16 - 00000000 ____D () C:\Users\jh
2013-01-01 00:15 - 2013-01-01 00:16 - 00000000 ____D () C:\ProgramData\PRICache
2013-01-01 00:15 - 2013-01-01 00:15 - 00000020 ___SH () C:\Users\jh\ntuser.ini
2013-01-01 00:15 - 2013-01-01 00:15 - 00000000 ____D () C:\Windows\CSC
2013-01-01 00:15 - 2013-01-01 00:15 - 00000000 ____D () C:\Users\jh\AppData\Local\VirtualStore
2013-01-01 00:15 - 2013-01-01 00:15 - 00000000 _____ () C:\Windows\WindowsUpdate.log
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ___RD () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ___RD () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ___RD () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ____D () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-01-01 00:14 - 2013-01-01 00:15 - 00000000 _____ () C:\Recovery.txt
2013-01-01 00:14 - 2013-01-01 00:14 - 00000000 __SHD () C:\Recovery
2013-01-01 00:12 - 2013-01-01 00:12 - 00001136 _____ () C:\Windows\system32\netcfg-12468.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000185 _____ () C:\Windows\system32\netcfg-17875.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000164 _____ () C:\Windows\system32\netcfg-16187.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000161 _____ () C:\Windows\system32\netcfg-16843.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000160 _____ () C:\Windows\system32\netcfg-16734.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000160 _____ () C:\Windows\system32\netcfg-16515.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000160 _____ () C:\Windows\system32\netcfg-16078.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000159 _____ () C:\Windows\system32\netcfg-16406.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000157 _____ () C:\Windows\system32\netcfg-16625.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000157 _____ () C:\Windows\system32\netcfg-12281.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000150 _____ () C:\Windows\system32\netcfg-16296.txt
2013-01-01 00:11 - 2013-01-01 00:12 - 00000000 ____D () C:\Windows\Panther
2013-01-01 00:11 - 2013-01-01 00:11 - 00000424 _____ () C:\Windows\PFRO.log
2013-01-01 00:02 - 2014-11-17 16:10 - 17535064 _____ () C:\Users\jh\Desktop\RogueKillerX64.exe
2013-01-01 00:02 - 2014-11-17 16:10 - 02117120 _____ (Farbar) C:\Users\jh\Desktop\FRST64.exe
2013-01-01 00:02 - 2013-01-01 00:02 - 00001945 _____ () C:\Users\jh\Desktop\FRST.txt
2013-01-01 00:02 - 2013-01-01 00:02 - 00000000 ____D () C:\FRST
2013-01-01 00:01 - 2013-01-01 00:01 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2013-01-01 00:15 - 2012-07-26 08:12 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2013-01-01 00:15 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\WinStore
2013-01-01 00:15 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\system32\Recovery
2013-01-01 00:15 - 2012-07-26 07:19 - 00281088 _____ () C:\Windows\system32\FNTCACHE.DAT
2013-01-01 00:12 - 2012-07-26 08:13 - 00001720 _____ () C:\Windows\DtcInstall.log
2013-01-01 00:12 - 2012-07-26 05:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2013-01-01 00:11 - 2012-07-26 08:13 - 00262144 _____ () C:\Windows\system32\config\BCD-Template
2013-01-01 00:01 - 2012-07-26 07:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2013-01-01 00:01 - 2012-07-26 07:21 - 00013671 _____ () C:\Windows\setupact.log
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
 
 
LastRegBack: 2013-01-01 00:11
 
==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-11-2014 03
Ran by jh at 2013-01-01 00:02:43
Running from C:\Users\jh\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2012-07-26 05:26 - 2012-07-26 05:26 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {F8E9F306-F34A-402E-A5B7-FB560F72E779} - System32\Tasks\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup
 
==================== Loaded Modules (whitelisted) =============
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-2089307483-3405813896-692474766-500 - Administrator - Disabled)
Guest (S-1-5-21-2089307483-3405813896-692474766-501 - Limited - Disabled)
jh (S-1-5-21-2089307483-3405813896-692474766-1001 - Administrator - Enabled) => C:\Users\jh
 
==================== Faulty Device Manager Devices =============
 
Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/01/2013 00:01:33 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: home)
Description: Activation of application Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144980991 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (01/01/2013 00:01:08 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80070057
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=05e80e9f-93e3-4433-8b6d-bac4ae66d7bc;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (01/01/2013 00:15:53 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80070057
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=05e80e9f-93e3-4433-8b6d-bac4ae66d7bc;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (01/01/2013 00:15:50 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80070057
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=05e80e9f-93e3-4433-8b6d-bac4ae66d7bc;NotificationInterval=1440;Trigger=TimerEvent
 
 
System errors:
=============
Error: (01/01/2013 00:00:57 AM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY)
Description: 32212256841085904
 
Error: (01/01/2013 00:01:02 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 00:15:38 on ‎01/‎01/‎2013 was unexpected.
 
Error: (01/01/2013 00:18:05 AM) (Source: DCOM) (EventID: 10010) (User: home)
Description: Microsoft.WindowsLive.Platform.Service.RemoteProcess
 
Error: (01/01/2013 00:12:00 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error: 
%%21
 
Error: (01/01/2013 00:12:00 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error: 
%%1058
 
Error: (01/01/2013 00:11:50 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
 
 
Microsoft Office Sessions:
=========================
Error: (01/01/2013 00:01:33 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: home)
Description: Microsoft.BingWeather_8wekyb3d8bbwe!App-2144980991
 
Error: (01/01/2013 00:01:08 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0x80070057RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=05e80e9f-93e3-4433-8b6d-bac4ae66d7bc;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (01/01/2013 00:15:53 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0x80070057RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=05e80e9f-93e3-4433-8b6d-bac4ae66d7bc;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (01/01/2013 00:15:50 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0x80070057RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=05e80e9f-93e3-4433-8b6d-bac4ae66d7bc;NotificationInterval=1440;Trigger=TimerEvent
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-4590 CPU @ 3.30GHz
Percentage of memory in use: 19%
Total physical RAM: 4024.01 MB
Available physical RAM: 3236.73 MB
Total Pagefile: 7608.01 MB
Available Pagefile: 6795.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.78 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.27 GB) (Free:96.87 GB) NTFS
Drive d: (HRM_CCSA_X64FRE_EN-GB_DV5) (CDROM) (Total:3.27 GB) (Free:0 GB) UDF
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 111.8 GB) (Disk ID: 5468ADFD)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================
 
 
RogueKiller V10.0.6.0 (x64) [Nov 13 2014] by Adlice Software
 
Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : jh [Administrator]
Mode : Scan -- Date : 01/01/2013  00:04:48
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: KINGSTON SH103S3120G +++++
--- User ---
[MBR] 7eda437604d69e42b7a1d45ccc40ef96
[BSP] 57b5e3b12a71eb97e2f30fdba58c87c4 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK
 
 


#6 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,648 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:46 PM

Posted 17 November 2014 - 11:25 PM

Please peruse this to fix the MBR and provide myself with a fresh FRST log.

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#7 TwistedZombie

TwistedZombie
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 18 November 2014 - 05:29 PM

When i ran bootsect it said something along the lines of
 
harddiskvolume 2 > successful updated fat32
harddisk 0/dr0 > bootcode is only updated on MBR partitioned disks a different partitioning scheme is used on this disk
 
 
here are the scan results, many thanks for your time
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-11-2014 03
Ran by jh (administrator) on HOME on 01-01-2013 00:13:18
Running from C:\Users\jh\Desktop
Loaded Profile: jh (Available profiles: jh)
Platform: Windows 8 Pro (X64) OS Language: English (United Kingdom)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
 
FireFox:
========
 
Chrome: 
=======
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2013-01-01 00:16 - 2013-01-01 00:16 - 00001430 _____ () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-01-01 00:16 - 2013-01-01 00:16 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2013-01-01 00:16 - 2013-01-01 00:16 - 00000000 ____D () C:\Users\jh\AppData\Roaming\Adobe
2013-01-01 00:15 - 2013-01-01 00:16 - 00000000 ____D () C:\Users\jh\AppData\Local\Packages
2013-01-01 00:15 - 2013-01-01 00:16 - 00000000 ____D () C:\Users\jh
2013-01-01 00:15 - 2013-01-01 00:16 - 00000000 ____D () C:\ProgramData\PRICache
2013-01-01 00:15 - 2013-01-01 00:15 - 00000020 ___SH () C:\Users\jh\ntuser.ini
2013-01-01 00:15 - 2013-01-01 00:15 - 00000000 ____D () C:\Windows\CSC
2013-01-01 00:15 - 2013-01-01 00:15 - 00000000 ____D () C:\Users\jh\AppData\Local\VirtualStore
2013-01-01 00:15 - 2013-01-01 00:15 - 00000000 _____ () C:\Windows\WindowsUpdate.log
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ___RD () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ___RD () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ___RD () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2013-01-01 00:15 - 2012-07-26 08:13 - 00000000 ____D () C:\Users\jh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-01-01 00:14 - 2013-01-01 00:15 - 00000000 _____ () C:\Recovery.txt
2013-01-01 00:14 - 2013-01-01 00:14 - 00000000 __SHD () C:\Recovery
2013-01-01 00:12 - 2013-01-01 00:12 - 00001136 _____ () C:\Windows\system32\netcfg-12468.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000185 _____ () C:\Windows\system32\netcfg-17875.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000164 _____ () C:\Windows\system32\netcfg-16187.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000161 _____ () C:\Windows\system32\netcfg-16843.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000160 _____ () C:\Windows\system32\netcfg-16734.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000160 _____ () C:\Windows\system32\netcfg-16515.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000160 _____ () C:\Windows\system32\netcfg-16078.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000159 _____ () C:\Windows\system32\netcfg-16406.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000157 _____ () C:\Windows\system32\netcfg-16625.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000157 _____ () C:\Windows\system32\netcfg-12281.txt
2013-01-01 00:12 - 2013-01-01 00:12 - 00000150 _____ () C:\Windows\system32\netcfg-16296.txt
2013-01-01 00:11 - 2013-01-01 00:12 - 00000000 ____D () C:\Windows\Panther
2013-01-01 00:11 - 2013-01-01 00:11 - 00000424 _____ () C:\Windows\PFRO.log
2013-01-01 00:06 - 2013-01-01 00:06 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2089307483-3405813896-692474766-1001
2013-01-01 00:03 - 2013-01-01 00:03 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2013-01-01 00:03 - 2013-01-01 00:03 - 00000000 ____D () C:\ProgramData\RogueKiller
2013-01-01 00:02 - 2014-11-17 16:10 - 17535064 _____ () C:\Users\jh\Desktop\RogueKillerX64.exe
2013-01-01 00:02 - 2014-11-17 16:10 - 02117120 _____ (Farbar) C:\Users\jh\Desktop\FRST64.exe
2013-01-01 00:02 - 2013-01-01 00:13 - 00002083 _____ () C:\Users\jh\Desktop\FRST.txt
2013-01-01 00:02 - 2013-01-01 00:13 - 00000000 ____D () C:\FRST
2013-01-01 00:01 - 2013-01-01 00:01 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2013-01-01 00:15 - 2012-07-26 08:12 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2013-01-01 00:15 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\WinStore
2013-01-01 00:15 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\system32\Recovery
2013-01-01 00:15 - 2012-07-26 07:19 - 00281088 _____ () C:\Windows\system32\FNTCACHE.DAT
2013-01-01 00:12 - 2012-07-26 08:13 - 00001720 _____ () C:\Windows\DtcInstall.log
2013-01-01 00:12 - 2012-07-26 07:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2013-01-01 00:12 - 2012-07-26 05:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2013-01-01 00:11 - 2012-07-26 08:13 - 00262144 _____ () C:\Windows\system32\config\BCD-Template
2013-01-01 00:05 - 2012-07-26 07:28 - 00803370 _____ () C:\Windows\system32\PerfStringBackup.INI
2013-01-01 00:05 - 2012-07-26 07:21 - 00014465 _____ () C:\Windows\setupact.log
 
Some content of TEMP:
====================
C:\Users\jh\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
 
 
LastRegBack: 2013-01-01 00:11
 
==================== End Of Log ============================


#8 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,648 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:46 PM

Posted 19 November 2014 - 12:33 AM

Do you have another working 64-Bit PC? If so, copy the C:\Windows\system32\codeintegrity\Bootcat.cache to your C:\Windows\system32\codeintegrity folder.

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#9 TwistedZombie

TwistedZombie
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 19 November 2014 - 06:13 PM

Do you have another working 64-Bit PC? If so, copy the C:\Windows\system32\codeintegrity\Bootcat.cache to your C:\Windows\system32\codeintegrity folder.


Hi there, I don't unfortunately.
I'm happy to do a fresh install or whatever it takes, but I don't have another pc. I have left the computer as is, I will await your advise. Many thanks

#10 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,648 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:46 PM

Posted 19 November 2014 - 11:40 PM

I see no traces of rootkit and I doubt as you told that it was fresh install. Why are inclined to believe otherwise, I may ask? :)

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#11 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,648 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:46 PM

Posted 23 November 2014 - 11:03 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users