Adlice forum
Software feedback => RogueKiller => Topic started by: Aruval on July 24, 2015, 04:07:02 PM
-
(http://i.imgur.com/6xZdxtB.jpg)
I would like to know if this keys RK ... are created by Roguekiller
-
Hi Aruval,
Welcome to Adlice.com Forum.
Yes, theses keys are legit.
Regards.
-
Hi Curson
Ok, thanks, I know that Roguekiller was to suspect first but the problem is that RK is "Roguekiller" or the very non specific "Registry Keys"
and more what made me believe to the possibility of a non detected malware, is that RK reported me a threat on one of theses keys, so I thought that if this was RK's keys, how can it report a malware suspicion on it ???
-
and also reproduction tests did not work, not able to get theses keys again
I wonder if it is not keys that appear only when process is terminated before the end ...
-
Hi Aruval,
Could you please copy/paste RogueKiller full report in your next post ?
Regards.
-
For what I said, I had exactly this in report :
HKEY_LOCAL_MACHINE\RK_Software_ON_E_6E77\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1
-
RogueKiller V10.8.4.0 [Jun 15 2015] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com
Système d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Démarré en : Mode normal
Utilisateur : Propriétaire [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 06/25/2015 17:33:56
¤¤¤ Processus : 0 ¤¤¤
¤¤¤ Registre : 11 ¤¤¤
[PUM.Proxy] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8118 -> Trouvé(e)
[PUM.Desktop] HKEY_LOCAL_MACHINE\RK_Software_ON_E_6E77\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> Trouvé(e)
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | AntiVirusDisableNotify : 1 -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | FirewallDisableNotify : 1 -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | UpdatesDisableNotify : 1 -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2 -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Trouvé(e)
¤¤¤ Tâches : 0 ¤¤¤
¤¤¤ Fichiers : 0 ¤¤¤
¤¤¤ Fichier Hosts : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: ST3500630A +++++
--- User ---
[MBR] a00744f367fa634becf790b0f95e5a08
[BSP] bf18b79ae6cdd05b7dce09b5c8b55254 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 10244 MB [Windows XP Bootstrap | Windows XP Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 20980890 | Size: 10244 MB [Windows XP Bootstrap | Windows XP Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 41961780 | Size: 10244 MB [Windows XP Bootstrap | Windows XP Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 62942670 | Size: 446203 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )
+++++ PhysicalDrive2: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )
+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )
+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )
============================================
RKreport_SCN_06122015_000640.log - RKreport_SCN_06132015_100018.log - RKreport_SCN_06132015_210827.log - RKreport_SCN_06202015_131708.log
RKreport_SCN_06202015_154437.log - RKreport_SCN_06232015_125922.log - RKreport_DEL_06232015_130424.log
-
Hello,
Sorry to disturb I can add some information :)
RK_Something are hives from external disks loaded by RogueKiller during a scan.
Like: RK_Software_On_K means "Hive loaded from K:/Windows/system32/config/SOFTWARE"
This is how RogueKiller scans external drives registry (with Honey module), those hives are normally unmounted after the scan, or on close.
EDIT: You may see some others in HKEY_USERS.
-
Yes that is exactly what I had, a SDCard with a Windows PE ... and a custom rescue Windows XP on it.
-
Hi Aruval,
Thanks for the feedback.
Regards.