21 replies to this topic

[suefiza]

RKreport

RogueKiller V10.0.8.0 (x64) [Nov 20 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Administrator]
Mode : Scan -- Date : 12/04/2014  16:56:16

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] JRT.exe -- C:\Users\Owner\Desktop\JRT.exe[-] -> Killed [TermThr]

¤¤¤ Registry : 33 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft...d=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft...d=ie&ar=msnhome  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft...d=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft...d=ie&ar=msnhome  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7B921F64-AA10-4D5F-942F-A575028236B0} | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C26C072B-4739-4C0D-B7F1-F4190F08DC70} | NameServer : 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E3DD0C86-050F-4BE5-91D2-18ECAD6F69DC} | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7B921F64-AA10-4D5F-942F-A575028236B0} | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C26C072B-4739-4C0D-B7F1-F4190F08DC70} | NameServer : 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E3DD0C86-050F-4BE5-91D2-18ECAD6F69DC} | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7B921F64-AA10-4D5F-942F-A575028236B0} | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C26C072B-4739-4C0D-B7F1-F4190F08DC70} | NameServer : 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E3DD0C86-050F-4BE5-91D2-18ECAD6F69DC} | DhcpNameServer : 192.168.0.1 205.171.203.226 [UNITED STATES (US)]  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSearch : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSearch : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-708974729-55146766-922195683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] Best Buy pc app.lnk -- C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [LNK@] C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 10 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\Disk @ \Device\Harddisk0\DR0 : \Driver\partmgr @ Unknown (\SystemRoot\system32\DRIVERS\LPCFilter.sys)
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x35301f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x3530270
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x3530250
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x35301d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x3530290
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x35302b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x35302d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x3530210
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x3530230

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6476GSXN +++++
--- User ---
[MBR] b8804eb13f2b03ef79e221133212af7b
[BSP] cf81b80618fd166be3ab24b66ded586c : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 594520 MB
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1220651008 | Size: 14459 MB
User = LL1 ... OK
User = LL2 ... OK

[suefiza]

The Yahoo toolbar uninstalled without any problems.

[LiquidTension]

Hello Sue, 

 

Please provide an update on your computer after completing the steps below.

Are there any outstanding issues?

 

STEP 1
 Malwarebytes Anti-Malware (MBAM)

• Please download the Malwarebytes Anti-Malware setup file to your Desktop.
• Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. 
• Open Malwarebytes Anti-Malware and click Update Now.
• Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• Click Copy to Clipboard and paste the log in your next reply. 
   

STEP 2
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click  and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to  and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• MBAM Scan log
• ESET Online Scan log
• Update on computer

[suefiza]

Are there any more steps?  I am wondering if I should remove these executables that you had me download and run?  What is your recommendation?  Thanks so much for your help.  So far in the brief times that I have been connected to the internet, I haven't seen any of the behavior I was seeing before. 

[LiquidTension]

Hi Sue, 

 

Once you've provided the two logs from above, we can move on to updating your vulnerable software, removing the tools and files used in this process, and recommended reading material/programmes that will help reduce the risk of reinfection. 

 

Please include the ESET Online Scan log and MBAM Threat Scan log in your next reply.

[LiquidTension]

Hello Sue, 

 

How are you getting on? 

[LiquidTension]

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic