RogueKiller detect threat

[nexon]

Hello

Roguekiller detect this but i am not sure if i can delete it?

[Curson]

Hi nexon,

Welcome to Adlice.com Forum.
Could you please copy/paste RogueKiller's full report in your next reply ?

Regards.

[nexon]

hi,

you wanna log right? Ok here is it...

RogueKiller V10.5.8.0 [Mar 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operační systém : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Spuštěno : Normální režim
Uživatel : Mato [Práva správce]
Started from : D:\RogueKiller.exe
Mód : Prohledat -- Datum : 04/01/2015  10:00:11

¤¤¤ Procesy : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.HomePage] HKEY_USERS\S-1-5-21-3768633770-1161998090-4180713237-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.facebook.com/  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer :  [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer :  [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer :  [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Nalezeno

¤¤¤ Úlohy : 0 ¤¤¤

¤¤¤ Soubory : 0 ¤¤¤

¤¤¤ Soubor HOSTS : 0 ¤¤¤

¤¤¤ Antirootkit : 2 (Driver: Nahrán) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Harddisk0\DR0 : \Driver\partmgr @ Unknown (\SystemRoot\system32\DRIVERS\cm_km_w.sys)
[Filter(Kernel.Filter)] \Driver\Disk @ \Device\Harddisk0\DR0 : \Driver\partmgr @ Unknown (\SystemRoot\system32\DRIVERS\cm_km_w.sys)

¤¤¤ Webové prohlížeče : 0 ¤¤¤

¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++
--- User ---
[MBR] ec37889b1405c0ee8cfe7157ff322873
[BSP] 8e8aa1e4f461b71cb441cfc9b4c3e2d1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152622 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 312571904 | Size: 152621 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03292015_171539.log

[Curson]

Hi nexon,

The file cm_km_w.sys is legit.
This false positive will be fixed in RogueKiller next version.

Regards.

[nexon]

Hello

Okay so what PUM in registry? False positive also?

[Curson]

Hi nexon,

Entries flagged as PUM (Potentially Unwanted Modification) could be potentially malicious.
In your case all of them are perfectly legit.

For more information, please read RogueKiller Documentation. You will find extensive descriptions about such entries there.

Regards.

[nexon]

Hello

Thanks for helpful info. 

[Curson]

Hi nexon,

You are very welcome. 

All the best.

[nexon]

Hello

Today i ran scan with newest version 10.5.9 and i have same problem see log please

RogueKiller V10.5.9.0 [Apr  7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operační systém : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Spuštěno : Normální režim
Uživatel : Mato [Práva správce]
Started from : D:\RogueKiller.exe
Mód : Prohledat -- Datum : 04/12/2015  14:13:55

¤¤¤ Procesy : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.HomePage] HKEY_USERS\S-1-5-21-3768633770-1161998090-4180713237-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.facebook.com/  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Nalezeno

¤¤¤ Úlohy : 0 ¤¤¤

¤¤¤ Soubory : 0 ¤¤¤

¤¤¤ Soubor HOSTS : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Nahrán) ¤¤¤

¤¤¤ Webové prohlížeče : 0 ¤¤¤

¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++
--- User ---
[MBR] ec37889b1405c0ee8cfe7157ff322873
[BSP] 8e8aa1e4f461b71cb441cfc9b4c3e2d1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152622 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 312571904 | Size: 152621 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03292015_171539.log - RKreport_SCN_04012015_100011.log

[Curson]

Hi nexon,

Is your ISP located in Slovakia ?
If that's the case, your report is clean.

Regards.

[nexon]

Hi

Yes this is in Slovakia 88.212.8.8 88.212.8.88.
This is bug in roguekiller? Because i see this.

[Curson]

Hi nexon,

No, it was just to confirm it was reallyyour ISP's nameservers.

These lines match the adress of your Internet service provider Domain Name System.
To keep it simple, each time your computer issue a request to, for exemple adlice.com, the DNS of your provider translate it to IP 1.121.101.47.
It's a translation service URLs <=> IP Adresses.

Regards.

[nexon]

Hi,

Ok thanks for info again

[Curson]

Hi nexon,

You are very welcome.

Regards.

[nexon]

Hi,

what about this okay?

[PUM.Policies] HKEY_LOCAL_MACHINE\RK_Software_ON_D_BC8E\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno