Adlice forum

Software feedback => RogueKiller => Topic started by: nexon on March 29, 2015, 05:34:06 PM

Title: RogueKiller detect threat
Post by: nexon on March 29, 2015, 05:34:06 PM

Hello

Roguekiller detect this but i am not sure if i can delete it?

Title: Re: RogueKiller detect threat
Post by: Curson on March 31, 2015, 09:53:58 PM

Hi nexon,

Welcome to Adlice.com Forum.
Could you please copy/paste RogueKiller's full report in your next reply ?

Regards.

Title: Re: RogueKiller detect threat
Post by: nexon on April 01, 2015, 10:05:19 AM

hi,

you wanna log right? Ok here is it...

RogueKiller V10.5.8.0 [Mar 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operační systém : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Spuštěno : Normální režim
Uživatel : Mato [Práva správce]
Started from : D:\RogueKiller.exe
Mód : Prohledat -- Datum : 04/01/2015  10:00:11

¤¤¤ Procesy : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.HomePage] HKEY_USERS\S-1-5-21-3768633770-1161998090-4180713237-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.facebook.com/  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer :  [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer :  [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer :  [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Nalezeno

¤¤¤ Úlohy : 0 ¤¤¤

¤¤¤ Soubory : 0 ¤¤¤

¤¤¤ Soubor HOSTS : 0 ¤¤¤

¤¤¤ Antirootkit : 2 (Driver: Nahrán) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Harddisk0\DR0 : \Driver\partmgr @ Unknown (\SystemRoot\system32\DRIVERS\cm_km_w.sys)
[Filter(Kernel.Filter)] \Driver\Disk @ \Device\Harddisk0\DR0 : \Driver\partmgr @ Unknown (\SystemRoot\system32\DRIVERS\cm_km_w.sys)

¤¤¤ Webové prohlížeče : 0 ¤¤¤

¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++
--- User ---
[MBR] ec37889b1405c0ee8cfe7157ff322873
[BSP] 8e8aa1e4f461b71cb441cfc9b4c3e2d1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152622 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 312571904 | Size: 152621 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03292015_171539.log

Title: Re: RogueKiller detect threat
Post by: Curson on April 01, 2015, 10:49:54 AM

Hi nexon,

The file cm_km_w.sys is legit.
This false positive will be fixed in RogueKiller next version.

Regards.

Title: Re: RogueKiller detect threat
Post by: nexon on April 01, 2015, 03:00:42 PM

Hello

Okay so what PUM in registry? False positive also?

Title: Re: RogueKiller detect threat
Post by: Curson on April 01, 2015, 07:25:36 PM

Hi nexon,

Entries flagged as PUM (Potentially Unwanted Modification) could be potentially malicious.
In your case all of them are perfectly legit.

For more information, please read RogueKiller Documentation (http://www.adlice.com/softwares/roguekiller/documentation/). You will find extensive descriptions about such entries there.

Regards.

Title: Re: RogueKiller detect threat
Post by: nexon on April 01, 2015, 08:15:10 PM

Hello

Thanks for helpful info.  :)

Title: Re: RogueKiller detect threat
Post by: Curson on April 01, 2015, 09:58:22 PM

Hi nexon,

You are very welcome.  :)

All the best.

Title: Re: RogueKiller detect threat
Post by: nexon on April 12, 2015, 02:18:36 PM

Hello

Today i ran scan with newest version 10.5.9 and i have same problem see log please

RogueKiller V10.5.9.0 [Apr  7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operační systém : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Spuštěno : Normální režim
Uživatel : Mato [Práva správce]
Started from : D:\RogueKiller.exe
Mód : Prohledat -- Datum : 04/12/2015  14:13:55

¤¤¤ Procesy : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.HomePage] HKEY_USERS\S-1-5-21-3768633770-1161998090-4180713237-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.facebook.com/  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{383D8FB7-E60C-4D94-A3EC-8D7DE9CFE538} | DhcpNameServer : 88.212.8.8 88.212.8.88 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Nalezeno
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Nalezeno
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Nalezeno

¤¤¤ Úlohy : 0 ¤¤¤

¤¤¤ Soubory : 0 ¤¤¤

¤¤¤ Soubor HOSTS : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Nahrán) ¤¤¤

¤¤¤ Webové prohlížeče : 0 ¤¤¤

¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++
--- User ---
[MBR] ec37889b1405c0ee8cfe7157ff322873
[BSP] 8e8aa1e4f461b71cb441cfc9b4c3e2d1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152622 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 312571904 | Size: 152621 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03292015_171539.log - RKreport_SCN_04012015_100011.log

Title: Re: RogueKiller detect threat
Post by: Curson on April 13, 2015, 06:17:19 PM

Hi nexon,

Is your ISP located in Slovakia ?
If that's the case, your report is clean. ;)

Regards.

Title: Re: RogueKiller detect threat
Post by: nexon on April 13, 2015, 06:30:28 PM

Hi

Yes this is in Slovakia 88.212.8.8 88.212.8.88.
This is bug in roguekiller? Because i see this.

Title: Re: RogueKiller detect threat
Post by: Curson on April 13, 2015, 06:54:22 PM

Hi nexon,

No, it was just to confirm it was reallyyour ISP's nameservers.

These lines match the adress of your Internet service provider Domain Name System (http://en.wikipedia.org/wiki/Domain_Name_System).
To keep it simple, each time your computer issue a request to, for exemple adlice.com, the DNS of your provider translate it to IP 1.121.101.47.
It's a translation service URLs <=> IP Adresses.

Regards.

Title: Re: RogueKiller detect threat
Post by: nexon on April 14, 2015, 10:29:52 AM

Hi,

Ok thanks for info again :)

Title: Re: RogueKiller detect threat
Post by: Curson on April 15, 2015, 11:54:29 AM

Hi nexon,

You are very welcome.

Regards.

Title: Re: RogueKiller detect threat
Post by: nexon on September 13, 2015, 06:03:30 PM

Hi,

what about this okay?

[PUM.Policies] HKEY_LOCAL_MACHINE\RK_Software_ON_D_BC8E\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Nalezeno

Title: Re: RogueKiller detect threat
Post by: Curson on September 14, 2015, 02:54:20 PM

Hi nexon,

These entries are legit as well.

Regards.

Title: Re: RogueKiller detect threat
Post by: nexon on September 14, 2015, 05:40:10 PM

Hi Curson

Okay thanks.

Title: Re: RogueKiller detect threat
Post by: Curson on September 14, 2015, 07:12:48 PM

Hi nexon,

You are welcome.

Regards.