[Solved] Malware check plz

OK, sorry to hear you're still sore. Let me know how it goes.

-etavares

 

thanks

ok have ran the scan and it rebooted my laptop itself and now where do I find the scan report? nothing left on my desktop.

 

I couldn't figure out how to find the scan report so I took screen shots of what was found in each

 

OK, I'd like to see the full log. Look where you saved Rogue Killer and you should see rkreport.txt...is it there? IF so, can you please copy/paste contents?

-etavares

 

when I downloaded the Rogue Killer I saved it to my desktop and after the scan was done...nothing was left. no report was left. that is why I took screen shots of what it found. should I delete the program and start from scratch with the Rogue?

 

Please click the Report button in RogueKiller after the scan. It should open the report. I don't want you to fix anything until I can see it all to confirm we're not going to delete something legitimate.

-etavares

 

ok here is the report. I had to download the program again due to it being out of date. I was away for the long weekend also.

RogueKiller V10.6.4.0 (x64) [May 18 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lila [Administrator]
Started from : C:\Users\Lila\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 05/18/2015 17:32:06

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2196296775-3493883262-1510572285-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2196296775-3493883262-1510572285-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2196296775-3493883262-1510572285-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2196296775-3493883262-1510572285-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 07f2ab0a73b8f817d4e8d9169e7dc32b
[BSP] 63093cabbed7187f52a1f627a0b4b316 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 7864 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 16107520 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 16312320 | Size: 468974 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([32] The request is not supported. )
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Ricoh Memory Stick Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: WD My Passport 0830 USB Device +++++
--- User ---
[MBR] f7b89e61dee8dfcac7a1a0dd392c98c3
[BSP] 3b0ca5a96485f156015c15e13e066b1e : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953836 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: WD My Passport 0730 USB Device +++++
--- User ---
[MBR] 0edf6d74277cbf53326024140954c17f
[BSP] fdbfd5c3900bba49e56c79efbc312c7f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476907 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_05122015_212430.log

 

Hi,

OK, please do another Scan with Rogue Killer, then click Delete after it's done scanning. Then, let me know how it is running, please.

-etavares

 

Ok have done as you said above. I am attaching a screen shot of what I saw when I clicked on registry...its saying not selected. was I suppose to go in and put check marks in all before deleting?
ty

 

Yes, it used to default to checked. Check everything in the registry tab, then click delete..

etavares

 

here is the scan results. I ran a scan yesterday and did as you said to delete all in registry. did another scan just now and this is the results from the scan. there were more in the registry so I deleted those.
since the scan last night I have two icons on my desktop. attaching screens shot of them. What should I do to get rid of them as they were never there before. ty



RogueKiller V10.6.4.0 (x64) [May 18 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lila [Administrator]
Started from : C:\Users\Lila\Desktop\RogueKillerX64.exe
Mode : Delete -- Date : 05/19/2015 09:54:35

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2196296775-3493883262-1510572285-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://search.msn.com/spbasic.htm -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2196296775-3493883262-1510572285-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://search.msn.com/spbasic.htm -> Replaced (http://search.msn.com/spbasic.htm)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 07f2ab0a73b8f817d4e8d9169e7dc32b
[BSP] 63093cabbed7187f52a1f627a0b4b316 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 7864 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 16107520 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 16312320 | Size: 468974 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([32] The request is not supported. )
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Ricoh Memory Stick Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: WD My Passport 0830 USB Device +++++
--- User ---
[MBR] f7b89e61dee8dfcac7a1a0dd392c98c3
[BSP] 3b0ca5a96485f156015c15e13e066b1e : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953836 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: WD My Passport 0730 USB Device +++++
--- User ---
[MBR] 0edf6d74277cbf53326024140954c17f
[BSP] fdbfd5c3900bba49e56c79efbc312c7f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476907 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_05122015_212430.log - RKreport_SCN_05182015_173206.log - RKreport_SCN_05182015_201624.log - RKreport_DEL_05182015_201631.log
RKreport_SCN_05182015_220500.log - RKreport_DEL_05182015_220529.log - RKreport_SCN_05192015_095412.log

 

Hi,

That log looks OK. The MSN isn't malware.

As for the icons, RK change some settings back to default. To get rid of them, right-click your desktop, select Personalize.
Click Change desktop icons
UNcheck the box next to User's Files and Computer.
OK your way out.

Those should disappear.

How is your computer running?

-etavares

 

icons are now gone. computer is running much better.
I would like to say thank you for all of your help
have yourself a great weekend and I will return one day LOL
take care...Lila

 

Great! You can remove any tools we used and delete the log files.

-etavares

 

I would like to say thank you so very much for all your help etevares.
hope you are having a great week. cya later sometime LOL