Adlice forum

Software feedback => RogueKiller => Topic started by: lmkwin on January 19, 2017, 03:18:31 PM

Title: advice for log
Post by: lmkwin on January 19, 2017, 03:18:31 PM

Can you advise which should be removed?  Thank you.

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
Mode : Scan -- Date : 01/18/2017 22:48:31 (Duration : 02:15:14)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 19 ¤¤¤
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{00020812-0000-0000-C000-000000000046} (C:\Users\agale\AppData\Local\KINGSO~1\1020~1.581\office6\et.exe /Automation) -> Found
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{000209FF-0000-0000-C000-000000000046} (C:\Users\agale\AppData\Local\KINGSO~1\1020~1.581\office6\wps.exe /Automation) -> Found
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{00024500-0000-0000-C000-000000000046} (C:\Users\agale\AppData\Local\KINGSO~1\1020~1.581\office6\et.exe /Automation) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237} (C:\Program Files\Common Files\AVG Secure Search\RewardsInstaller\17.1.2\AVGRewardsWorker.dll) -> Found
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{45540086-5750-5300-4B49-4E47534F4655} (C:\Users\agale\AppData\Local\Kingsoft Office\10.2.0.5811\office6\et.exe /Automation) -> Found
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{91493441-5A91-11CF-8700-00AA0060263B} (C:\Users\agale\AppData\Local\KINGSO~1\1020~1.581\office6\wpp.exe /Automation) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\Software\AppDataLow\Software\adawarebp -> Found
[PUP.Gen0] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} :   -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:8080  -> Found
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/  -> Found
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.16.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 172.16.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B7FDC056-F051-4067-92EE-BE1DC00AD4C3} | DhcpNameServer : 172.16.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{B7FDC056-F051-4067-92EE-BE1DC00AD4C3} | DhcpNameServer : 172.16.0.1 ([])  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.Gen1][Folder] C:\Program Files\xfin_portal -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x5]) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.keyword [mysearch.avg.com] -> Found
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.url [http://mysearch.avg.com/search?cid={0DA3AF34-B38C-40F8-BCCA-B97F1C105D76}&mid=81f2b15037ed47d389d1d1574dc092a5-c16a38ad0ae11ab66968c60fe659f49aa1e8cc56&lang=en&ds=dl011&pr=sa&d=2013-08-10 12:03:33&v=15.4.0.5&pid=safeguard&sg=0&sap=dsp&q={searchTerms}] -> Found
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.suggestions_url [http://toolbar.avg.com/acp?q={searchTerms}&o=1] -> Found

¤¤¤ MBR Check : ¤¤¤

Title: Re: advice for log
Post by: Curson on January 19, 2017, 06:52:04 PM

Hi lmkwin,

Welcome to Adlice.com Forum.
You can safely remove the following items :

Code: [Select]

[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237} (C:\Program Files\Common Files\AVG Secure Search\RewardsInstaller\17.1.2\AVGRewardsWorker.dll) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\Software\AppDataLow\Software\adawarebp -> Found
[PUP.Gen0] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} :   -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-472153062-2965157551-1287252079-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:8080  -> Found
[PUP.Gen1][Folder] C:\Program Files\xfin_portal -> Found
The other detections are either false positives (KingSoft Office) or PUMs.
PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit.
For more information, please read RogueKiller Documentation (http://www.adlice.com/software/roguekiller/documentation/).

Regards.