Adlice forum
Software feedback => RogueKiller => Topic started by: aurion45 on July 26, 2014, 12:24:20 AM
-
Hi There,
I seem to have problem as well, with explorer.exe it is outboard to some ip address, but Malwarebyte prevent it for connection, and it has stopped for now, but I think there still a problem?
Can you please help, thank you. Andrew
RogueKiller V9.2.4.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 8.1 (6.3.9200 ) 32 bits version
Started in : Normal mode
User : asoul_000 [Admin rights]
Mode : Scan -- Date : 07/26/2014 08:07:29
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 10 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 0 ¤¤¤
¤¤¤ Antirootkit : 30 (Driver: LOADED) ¤¤¤
[IAT:Addr] (explorer.exe) dwmapi.dll - : Unknown @ 0xb370000
[IAT:Addr] (explorer.exe) dwmapi.dll - : Unknown @ 0xb370014
[IAT:Addr] (explorer.exe) dwmapi.dll - : Unknown @ 0xb370028
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllCanUnloadNow : C:\Windows\System32\netprofm.dll @ 0x683b10aa
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllGetClassObject : C:\Windows\System32\netprofm.dll @ 0x683b2003
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllRegisterServer : C:\Windows\System32\netprofm.dll @ 0x683d5fbd
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllUnregisterServer : C:\Windows\System32\netprofm.dll @ 0x683d5fe1
[EAT:Addr] (explorer.exe) ATL.DLL - NetAddAlternateComputerName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6466a7
[EAT:Addr] (explorer.exe) ATL.DLL - NetEnumerateComputerNames : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6467b1
[EAT:Addr] (explorer.exe) ATL.DLL - NetGetJoinInformation : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f642b89
[EAT:Addr] (explorer.exe) ATL.DLL - NetGetJoinableOUs : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646931
[EAT:Addr] (explorer.exe) ATL.DLL - NetJoinDomain : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f644409
[EAT:Addr] (explorer.exe) ATL.DLL - NetRemoveAlternateComputerName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646a89
[EAT:Addr] (explorer.exe) ATL.DLL - NetRenameMachineInDomain : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646b91
[EAT:Addr] (explorer.exe) ATL.DLL - NetSetPrimaryComputerName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646c99
[EAT:Addr] (explorer.exe) ATL.DLL - NetUnjoinDomain : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f64431b
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseAdd : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f643324
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseDel : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f642fe8
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseEnum : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6430c1
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseGetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646da1
[EAT:Addr] (explorer.exe) ATL.DLL - NetValidateName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646e41
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaGetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f642c99
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaSetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646fd1
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaStatisticsGet : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6470a9
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaTransportAdd : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6471b9
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaTransportDel : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647299
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaTransportEnum : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647371
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaUserEnum : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6474c5
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaUserGetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647615
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaUserSetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647709
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] 968b68c9ed36a3c42cfbf4ccb6686a21
[BSP] 95710b1fd0045563c6af269b8702db8b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1092 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2238464 | Size: 749404 MB
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1537017856 | Size: 203370 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Multiple Card Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_SCN_07262014_065345.log - RKreport_DEL_07262014_072607.log
-
OK I'm going to re-install computer back to a custom image, that I know is good.
I let you know the outcome, if this fixes my problem.
-
OK re-imaged my computer and re-run RogueKiller here the outcome below:
RogueKiller V9.2.4.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 8.1 (6.3.9200 ) 32 bits version
Started in : Normal mode
User : asoul_000 [Admin rights]
Mode : Scan -- Date : 07/26/2014 17:12:07
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 10 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer :
61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces
\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces
\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49 -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft
\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft
\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \\SomotoUpdateCheckerAutoStart -- C:\Users\asoul_000\AppData\Local\FilesFrog
Update Checker\update_checker.exe (/auto) -> FOUND
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 0 ¤¤¤
¤¤¤ Antirootkit : 8 (Driver: LOADED) ¤¤¤
[IAT:Addr] (explorer.exe) dwmapi.dll - : Unknown @ 0xaff0000
[IAT:Addr] (explorer.exe) dwmapi.dll - : Unknown @ 0xaff0014
[IAT:Addr] (explorer.exe) dwmapi.dll - : Unknown @ 0xaff0028
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingDoAction : C:\Windows\system32\elscore.dll @
0x68337834
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingFreePropertyBag : C:\Windows
\system32\elscore.dll @ 0x68331230
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingFreeServices : C:\Windows\system32\elscore.dll
@ 0x68337908
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingGetServices : C:\Windows\system32\elscore.dll @
0x68332fa1
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingRecognizeText : C:\Windows\system32\elscore.dll
@ 0x683310d0
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] 968b68c9ed36a3c42cfbf4ccb6686a21
[BSP] 95710b1fd0045563c6af269b8702db8b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1092 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2238464 | Size: 749404 MB
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1537017856 | Size: 203370 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: Multiple Card Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
-
Hello
When you have such Orange lines, you have to google the DLL name to see if it's known.
You can also look at the file directly (since you are supposed to have it), look the publisher and why not upload on Virus Total.
Here it looks like they are legit. I'll add them to the whitelist.
-
Thanks will do next time.