Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Registry Entries [ ROGUE ST] + unable to run anti-malware and anti-vi


  • Please log in to reply

#1
VrB

VrB

    New Member

  • Member
  • Pip
  • 1 posts
Hi:

Windows XP3 system running slow including programs and internet.

I was going to run MWB with chameleon. Chameleon was able to update the definitions to current date but after update showed error file corrupt and I needed to download and reinstall. I tried again to launch and same message.

Then ran the RogueKiller V8.5.2. I know version is out of date, but this is all I had at the time. Need to use alternate system for now.

The RogueKiller V8.5.2 found items in the registy and many items in the drivers section. I also noticed that the entire list in the drivers section did not populate. I remember seeing at least 20 listed, but not showing on the log below.

I did not remove any items in the RogueKiller log. I will wait for your help.

The ESET online scanner you will see in the log was from a long ago scan - nothing that has been used in a very long time. We now use the Avast but did not run. Looks to be disabled.

I thank you for taking time to help.



RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 03/08/2014 14:23:19
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][ROGUE ST] HKLM\[...]\RunOnce : 1 (C:\Program Files\Malwarebytes'

Anti-Malware\Chameleon\mbam-chameleon.exe /r /p) -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[122] : NtOpenProcess @ 0x80574B29 -> HOOKED

(\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xF6E5CC4C)
SSDT[128] : NtOpenThread @ 0x80590C64 -> HOOKED

(\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xF6E5CD3C)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : <<

OTL logfile created on: 3/8/2014 4:13:32 PM - Run 7
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Admin\My

Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000000 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.07 Mb Total Physical Memory | 23.70 Mb Available Physical Memory | 18.65% Memory free
497.63 Mb Paging File | 322.90 Mb Available in Paging File | 64.89% Paging File free
Paging file location(s): C:\pagefile.sys 192 384 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 3.99 Gb Free Space | 10.71% Space Free | Partition Type: NTFS

Computer Name: R1 | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age

= 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Documents and Settings\Admin\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\pctspk.exe (PCtel, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\AVAST Software\Avast\defs\13121700\algo.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()


========== Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\acs\AOLacsd.exe (AOL LLC)
SRV - (Pctspk) -- C:\WINDOWS\system32\pctspk.exe (PCtel, Inc.)


========== Driver Services (SafeList) ==========

DRV - (NVXBAR) -- system32\DRIVERS\NVxbar.sys File not found
DRV - (nvTUNEP) -- system32\DRIVERS\nvtunep.sys File not found
DRV - (nvcap) -- system32\DRIVERS\nvcap.sys File not found
DRV - (catchme) -- C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (mbamchameleon) -- C:\WINDOWS\system32\drivers\mbamchameleon.sys ()
DRV - (aswSnx) -- C:\WINDOWS\system32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (AVAST Software)
DRV - (aswVmm) -- C:\WINDOWS\System32\drivers\aswVmm.sys ()
DRV - (aswMonFlt) -- C:\WINDOWS\system32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswRvrt) -- C:\WINDOWS\System32\drivers\aswRvrt.sys ()
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (AVAST Software)
DRV - (BANTExt) -- C:\WINDOWS\system32\drivers\BANTExt.sys ()
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (NUVision) -- C:\WINDOWS\system32\drivers\NUVision.sys (Nogatech Ltd.)
DRV - (tbcwdm) -- C:\WINDOWS\system32\drivers\tbcwdm.sys (Voyetra Turtle Beach)
DRV - (tbcspud) -- C:\WINDOWS\system32\drivers\tbcspud.sys (Voyetra Turtle Beach)
DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (Vpctcom) -- C:\WINDOWS\system32\drivers\vpctcom.sys (PCtel, Inc.)
DRV - (Vvoice) -- C:\WINDOWS\system32\drivers\vvoice.sys (PCtel, Inc.)
DRV - (Vmodem) -- C:\WINDOWS\system32\drivers\vmodem.sys (PCTEL, INC.)
DRV - (Ptserlp) -- C:\WINDOWS\system32\drivers\ptserlp.sys (PCTEL, INC.)
DRV - (EL90XBC) -- C:\WINDOWS\system32\drivers\el90xbc5.sys (3Com Corporation)
DRV - (Aspi32) -- C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =

http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =

http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 30 8D

8A F8 F7 3A CF 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =

http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer:

C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2:

C:\WINDOWS\system32\npDeployJava1.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program

Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program

Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program

Files\AVAST Software\Avast\WebRep\FF [2014/01/04 09:23:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Components: C:\Program

Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Plugins: C:\Program

Files\Mozilla Firefox\plugins [2013/11/13 15:20:45 | 000,000,000 | ---D | M]
FF -

HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}:

C:\Program Files\DAP\DAPFireFox

[2012/04/21 14:18:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and

Settings\Admin\Application Data\Mozilla\Extensions
[2014/01/10 20:15:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla

Firefox\browser\extensions
[2014/01/10 20:15:37 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla

Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2013/04/14 15:12:59 | 000,000,019 | ---- | M]) -

C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1389231461\ee\aolsoftware.exe

(AOL Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKCU..\Run: [AOL Fast Start] C:\Program Files\AOL Desktop 9.7\AOL.EXE (AOL Inc.)
O4 - HKLM..\RunOnce: [1] C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe

()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy

Package\dapcleanerie.htm File not found
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm File not

found
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm File

not found
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5}

http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 -

HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5A5C8D1A-CB5B-4532-97F0-35F0BDA3C853}:

NameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program

Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -

C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - (Reg Error: Value error.) - Reg Error: Value

error. File not found
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/23 17:13:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [

NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========


[2014/02/09 19:02:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\My

Documents\AvastPEToolkit
[2014/02/09 16:17:45 | 000,040,776 | ---- | C] (Malwarebytes Corporation) --

C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2014/02/09 16:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application

Data\Malwarebytes
[2014/02/09 16:17:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start

Menu\Programs\Malwarebytes' Anti-Malware
[2014/02/09 16:17:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application

Data\Malwarebytes
[2014/02/09 16:16:56 | 000,022,856 | ---- | C] (Malwarebytes Corporation) --

C:\WINDOWS\System32\drivers\mbam.sys
[2014/02/09 16:16:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2014/02/09 15:24:07 | 000,080,456 | ---- | C] (Malwarebytes Corporation) -- C:\Documents and

Settings\Admin\My Documents\mbam-clean-1.60.2.0003.exe

========== Files - Modified Within 30 Days ==========

[2014/03/08 14:06:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) --

C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2014/03/08 13:13:07 | 000,035,144 | ---- | M] () --

C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/03/08 12:32:14 | 000,018,059 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2014/03/08 12:24:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/03/08 12:24:22 | 133,316,608 | -HS- | M] () -- C:\hiberfil.sys


========== Files Created - No Company Name ==========

[2014/03/08 13:13:07 | 000,035,144 | ---- | C] () --

C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/01/04 09:23:27 | 000,180,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2014/01/04 09:23:25 | 000,049,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/04/28 18:36:39 | 000,088,688 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2013/04/16 10:46:17 | 000,000,400 | RHS- | C] () -- C:\Documents and Settings\All

Users\ntuser.pol
[2013/01/16 16:28:48 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/07/07 09:31:00 | 000,000,010 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2012/05/18 16:02:37 | 000,181,760 | ---- | C] () -- C:\Documents and Settings\Admin\Local

Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/06 14:04:33 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2012/04/24 11:06:09 | 000,109,216 | ---- | C] () -- C:\WINDOWS\System32\EasyHook64.dll
[2012/04/24 11:06:09 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\EasyHook32.dll

========== ZeroAccess Check ==========

[2006/10/27 17:40:58 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M]

(Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M]

(Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M]

(Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2014/01/04 09:26:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\AVAST Software
[2013/01/09 15:37:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\EQATEC Analytics
[2012/04/25 16:58:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\OpenOffice.org
[2013/02/11 19:33:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\Opera
[2012/08/04 14:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\Oracle
[2012/04/22 15:41:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\ProgSense
[2012/09/05 10:16:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\SumatraPDF
[2013/03/27 09:41:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application

Data\VSRevoGroup
[2014/01/04 09:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application

Data\AVAST Software

========== Purity Check ==========



< End of report >

Thank you.

Edited by VrB, 09 March 2014 - 06:47 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP