Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with this log from RogueKiller(Possible rootkit)


  • This topic is locked This topic is locked
27 replies to this topic

#16 MrNobodyx

MrNobodyx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 27 November 2014 - 12:31 PM

https://www.dropbox.com/s/bh2vuser8qmu4lp/Addition.txt?dl=0

https://www.dropbox.com/s/m7019r7t1vp878f/FRST.txt?dl=0



BC AdBot (Login to Remove)

 


#17 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,042 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:46 AM

Posted 27 November 2014 - 12:57 PM

IMPORTANT: You MUST use Internet Explorer for this step!
  • Visit the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button:
    ESET1_zps23a5e840.png
  • Tick the box next to YES, I accept the Terms of Use and click Start
    ESET_EULA2_zps9451f1c3.png
  • When asked, allow the ActiveX control to install.
  • Select Enable detection of potentially unwanted applications and select Advanced Settings:
    ESET2_zpsc701c045.png
  • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked:
    ESET4_zps0afafd0d.png
  • Click Start. (This scan can take several hours, so please be patient):
    ESET3_zpsccd1657d.png
  • Once the scan is completed, select List of found threats:
    ESET5_zpsd27be299.png
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop:
    ESET6_zpsc17d154e.png
  • Click the Back button.
  • Click the Finish button:
    ESET9_zps51587217.png
  • Use Notepad to open the saved log file (on your Desktop- ESET.txt)[/b]
  • Copy and paste that log as a reply to this topic.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#18 MrNobodyx

MrNobodyx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 27 November 2014 - 01:53 PM

I don't have any log for ESET nothing was found except for this in program path

Attached Files

  • Attached File  log.txt   673bytes   1 downloads


#19 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,042 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:46 AM

Posted 27 November 2014 - 03:03 PM

How is your system running?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#20 MrNobodyx

MrNobodyx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 27 November 2014 - 10:59 PM

Hi my system is running well just that i am worried about the previous log from rouguekiller picking up some process as rootkit when i disable some startup.


But on new scan today with all process running no rootkit (IATHOOK) was found

RogueKiller V10.0.8.0 (x64) [Nov 20 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : xtre [Administrator]
Mode : Scan -- Date : 11/28/2014  11:57:38

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klkbdflt2 (\SystemRoot\system32\DRIVERS\klkbdflt2.sys) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AD56FF1D-AD93-4B78-AA8A-3A296CB56AB7} | NameServer : 37.221.175.198,95.169.183.219 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AD56FF1D-AD93-4B78-AA8A-3A296CB56AB7} | NameServer : 37.221.175.198,95.169.183.219 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST2000DM001-1CH164 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_11252014_163353.log - RKreport_SCN_11252014_164156.log - RKreport_SCN_11272014_232209.log - RKreport_SCN_11272014_233546.log
RKreport_SCN_11272014_234422.log - RKreport_SCN_11282014_003643.log



#21 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,042 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:46 AM

Posted 28 November 2014 - 12:48 AM

The sys file is good http://www.herdprotect.com/klkbdflt2.sys-55afbcba714fde3c85385b4d1ffc8e4e14cfbebd.aspx

Was this name server set by you: 37.221.175.198,95.169.183.219

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#22 MrNobodyx

MrNobodyx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 28 November 2014 - 01:24 AM

That DNS was from CyberGhost since i am experiencing ISP throttling and censorship


Edited by MrNobodyx, 28 November 2014 - 01:24 AM.


#23 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,042 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:46 AM

Posted 28 November 2014 - 08:06 AM

Hello,
in my opinion your PC is clean.

We need to remove the tools we've used during cleaning your machine
  • Download Delfix from here and run it (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the Delfix icon and select Run as Administrator).
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

 

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

Keep Safe! :thumbsup:

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#24 MrNobodyx

MrNobodyx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 28 November 2014 - 09:17 AM

# DelFix v10.8 - Logfile created 28/11/2014 at 22:15:26
# Updated 29/07/2014 by Xplode
# Username : xtre - DAN
# Operating System : Windows 8.1 Pro  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\zoek_backup
Deleted : C:\AdwCleaner
Deleted : C:\Users\xtre\Desktop\mbar
Deleted : C:\zoek-results.log
Deleted : C:\Users\xtre\Desktop\Addition.txt
Deleted : C:\Users\xtre\Desktop\adwcleaner_4.102.exe
Deleted : C:\Users\xtre\Desktop\FRST.txt
Deleted : C:\Users\xtre\Desktop\FRST64.exe
Deleted : C:\Users\xtre\Desktop\JRT.exe
Deleted : C:\Users\xtre\Desktop\log.txt
Deleted : C:\Users\xtre\Desktop\rkill.exe
Deleted : C:\Users\xtre\Desktop\RogueKillerX64.exe
Deleted : C:\Users\xtre\Desktop\tdsskiller.exe
Deleted : C:\Users\xtre\Desktop\zoek.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #2 [Windows Update | 11/24/2014 02:41:44]
Deleted : RP #3 [zoek.exe restore point | 11/26/2014 18:11:40]
Deleted : RP #4 [zoek.exe restore point | 11/28/2014 08:26:23]

New restore point created !

########## - EOF - ##########
 


Edited by MrNobodyx, 28 November 2014 - 09:17 AM.


#25 MrNobodyx

MrNobodyx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 28 November 2014 - 09:18 AM

Hi what about

C:\Windows\ERUNT

C:\Users\xtre\AppData\Local\Temp\jrt


Edited by MrNobodyx, 28 November 2014 - 09:27 AM.


#26 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,042 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:46 AM

Posted 28 November 2014 - 11:55 AM

You can delete them. Any further questions before I close this topic as solved?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#27 MrNobodyx

MrNobodyx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 29 November 2014 - 01:25 AM

ERUNT is a registry backup so if the next 2-3 days my of have no problems I am safe to remove them?
Yeah you can mark this thread as solved after my last queries.

#28 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,042 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:46 AM

Posted 29 November 2014 - 07:11 AM

Simply, it is your decision if you like to keep it or not.

Thread closed as solved.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users