Adlice forum

General Category => Malware removal help => Topic started by: olivierdulac8 on January 03, 2015, 01:07:43 PM

Title: clean or no clean
Post by: olivierdulac8 on January 03, 2015, 01:07:43 PM

my first scan with rogue killer ,I do not understand what I need to remove  :


REPORT

RogueKiller V10.1.1.0 (x64) [Dec 23 2014] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 8.1 (6.3.9200 ) 64 bits version
Démarré en  : Mode normal
Utilisateur : RICHMAN [Administrateur]
Mode : Scan -- Date : 01/03/2015  12:26:43

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D22CC4A4-7C77-4A45-BB71-62EF2B9D53D2} | DhcpNameServer : 40.20.1.201 40.20.1.202 [UNITED STATES (US)][UNITED STATES (US)]  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D22CC4A4-7C77-4A45-BB71-62EF2B9D53D2} | DhcpNameServer : 40.20.1.201 40.20.1.202 [UNITED STATES (US)][UNITED STATES (US)]  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: ST1000LM014-1EJ164-SSHD +++++
--- User ---
[MBR] 96280726cacbdcf5267e55459100d58e
[BSP] 59922cf62fe850b5b7612675560b3b9f : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK




and too   what is " the anti root kit " ? it s not possible to delete ( i send photo attachment )

Title: Re: clean or no clean
Post by: Curson on January 04, 2015, 01:21:25 AM

Hi olivierdulac8,

Do you live in the United States ?
I ask this because some DNS entries in your log are associated with "Eli Lilly and Company", which is dubious.

The AntiRootkit module detected some IRP hooks performed by the legitimate driver Wof.sys. That's totally harmless.
If you want more information about it, please read KernelMode rootkits: Part 2, IRP hooks (http://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/).

Regards.

Title: Re: clean or no clean
Post by: olivierdulac8 on January 04, 2015, 09:29:05 AM

i live in france !  i understand now for the anti root kit , and when the board is in green it s ok !!!

and for the registre key i delete ???

thanks for your reply

long life to you  !!!

Title: Re: clean or no clean
Post by: Curson on January 04, 2015, 04:13:55 PM

Hi olivierdulac8,

This is a DNS hijacker.
Please follow the following process as closely as possible.

1. Router disinfection / securisation

There is a possibility your router to be compromised. Such malware scan the network to find routers with weak/default passwords or firmware vulnerabilities and change their DNS settings.
Please follow these instruction (http://forum.malekal.com/hacks-piratage-routeurs-t47046.html) to hard reset your router and update it.

2. Please delete the following registry entries

Quote

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D22CC4A4-7C77-4A45-BB71-62EF2B9D53D2} | DhcpNameServer : 40.20.1.201 40.20.1.202 [UNITED STATES (US)][UNITED STATES (US)]  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D22CC4A4-7C77-4A45-BB71-62EF2B9D53D2} | DhcpNameServer : 40.20.1.201 40.20.1.202 [UNITED STATES (US)][UNITED STATES (US)]  -> Trouvé(e)

Eventually, I strongly advise you to change your passwords and be especially warry of unauthorized transactions if you use online banking since there is a probability your passwords may have been stolen.

Regards.