Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Roguekiller found problem or false positive ?


  • Please log in to reply
11 replies to this topic

#1 eugen_pl

eugen_pl

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 19 November 2015 - 03:23 AM

Hi There.

 

That is a Roguekiller report.

 

" RogueKiller V10.11.6.0 [Nov 16 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : Eugeniusz [Administrator]
Started from : C:\Users\Eugeniusz\Downloads\RogueKiller.exe
Mode : Scan -- Date : 11/19/2015 07:20:11

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] C:\Windows\System32\drivers\nwifi.sys -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 572b9aec56c23471e13ec042c84663af
[BSP] ded9dd5005712aa1ccf0d60fe109976b : Empty MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 357701 MB
1 - Basic data partition | Offset (sectors): 732573696 | Size: 357702 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 3db6499a8cfc97133c05db878a40a635
[BSP] 359f7e74cd5bfb32ea89655b1af5cfcd : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 97227 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 201433088 | Size: 452 MB
5 - Basic data partition | Offset (sectors): 202358784 | Size: 124900 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 458153984 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

 

Mcafee's real time scan mode is immediately off if I to try scan file nwifi.sys.

 

Is it real big problem.

 

Thanks.

 

Eugene


Edited by hamluis, 19 November 2015 - 05:05 AM.
Moved from AV/AM Software to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 21 November 2015 - 11:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


How is the computer running now?
Wait for further instructions.

#3 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 21 November 2015 - 02:05 PM

Please to find enclosed FRST64, AdwCleaner, MBAM logs and pcts of  roguekiller and mcafee scan report.

 

sfc /scannow - found and succesful fix corruptet files

Mcafee - found 5 issues of ARTEMIS ?? Manually deleted

ipconfig /flushdns - ok

Reinstelled - McAfee Live Safe ( Real-Time scanner not started ).

 

Now the laptop running ok.

 

Eugene

Attached Files


Edited by eugen_pl, 21 November 2015 - 03:10 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 21 November 2015 - 03:09 PM


This is just a cleanup of empty entries.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
SearchScopes: HKU\S-1-5-21-1541605764-3486321063-3568650953-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1541605764-3486321063-3568650953-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S3 MFE_RR; \??\C:\Users\EUGENI~1\AppData\Local\Temp\mfe_rr.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
C:\Users\Eugeniusz\AppData\Local\Temp\0240661448116130mcinst.exe
C:\Users\Eugeniusz\AppData\Local\Temp\0250391448116428mcinst.exe
C:\Users\Eugeniusz\AppData\Local\Temp\McCSPInstall.dll
C:\Users\Eugeniusz\AppData\Local\Temp\mccspuninstall.exe
C:\Users\Eugeniusz\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Eugeniusz\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Eugeniusz\AppData\Local\Temp\nvStInst.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 21 November 2015 - 03:28 PM

Hi there.

 

Log file attached.

 

How it look now ?

 

 

Attached Files



#6 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 21 November 2015 - 03:57 PM

Currentyl RogueKiller scan log.

Attached Files

  • Attached File  RK1.txt   4.54KB   2 downloads


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 22 November 2015 - 07:25 AM



Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

If the problem with nwifi.sys it not corrected lets find out if you have a good copy that we can use.

Please run the Farbar Recovery Scan Tool. Enter nwifi.sys in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>

#8 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 22 November 2015 - 01:17 PM

Hi there

 

I to use Windows 10. Combofix dont support this OS.



#9 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 22 November 2015 - 04:41 PM

Hi,

 

serch.txt and RogueKiller log attached.

 

 

Attached Files


Edited by eugen_pl, 22 November 2015 - 05:38 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 23 November 2015 - 07:44 AM

Looks like we are dealing with a false positive.
You have only one version of the file on your computer.

The MD5 value is good as seen here.
http://systemexplorer.net/file-database/file/nwifi-sys/34155633

===

If the computer is running well I would let it go.

You can help by reporting the issue here : http://www.adlice.com/contact/

#11 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 23 November 2015 - 07:52 AM

Hi there,

the computer is running well. Not crash. Amount of spam emails in my account run down.

Thanks

Eugene

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 23 November 2015 - 08:36 AM

Glad we could help.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users