Adlice forum

General Category => Malware removal help => Topic started by: slevin on September 02, 2016, 09:28:32 PM

Title: Malware ?
Post by: slevin on September 02, 2016, 09:28:32 PM

Hi, after reinstalling windows after an malware infection (hj.name) i got it back again somehow with a lot of other stuff that Rougekiller detected.
I googled the result and found out that some are belonging to my AV Kaspersky Internett Security, but the rest of the detections i could not vertify if they where legit or not. I play csgo on high level so its impossible to play a smooth game with this infection(s)..
I hope someone can explain theese prosecess to me and how to fix it so this nightmare will end :(

Rougekiller log :

RogueKiller V12.5.2.0 (x64) [Aug 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : KB [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 09/02/2016 04:56:44 (Duration : 00:07:20)

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) klids -- \??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys

• -> Found

¤¤¤ Registry : 12 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_arkmon (System32\Drivers\klupd_klif_arkmon.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_klark (System32\Drivers\klupd_klif_klark.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_klbg (System32\Drivers\klupd_klif_klbg.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_mark (System32\Drivers\klupd_klif_mark.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PAExec (C:\Windows\PAExec.exe -service) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PAExec (C:\Windows\PAExec.exe -service) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91d9b5c4-498d-474b-9238-295f120b9d7b} | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{91d9b5c4-498d-474b-9238-295f120b9d7b} | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X])  -> Not selected

¤¤¤ Tasks : 1 ¤¤¤
[Hj.Name] %WINDIR%\Tasks\CreateExplorerShellUnelevatedTask.job -- C:\Windows\explorer.exe (/NOUACCHECK) -> Deleted

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 250GB +++++
--- User ---
[MBR] de58c31392e6e5ac11cc5beec60456fb
[BSP] 824e939082b0d1ac4cc5ea0f94e92bb6 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 237908 MB
User = LL1 ... OK
User = LL2 ... OK

Title: Re: Malware ?
Post by: Curson on September 05, 2016, 01:25:51 PM

Hi slevin,

Welcome to Adlice.com Forum.

PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit and necessary to access Internet.
For more information, please read RogueKiller Documentation (http://www.adlice.com/software/roguekiller/documentation/).

The other entries are false positives related to Kaspersky.
This will be fixed in RogueKiller next release.

Regards.