Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - firefoxthebomb

Pages: [1]
1
RogueKiller / Re: ===> False Positives <===
« on: October 11, 2016, 09:55:18 PM »
Followed the instructions however the file size is 0, but I have included a copy of the exe file.

You can download it from here: https://we.tl/oJrPirkfXr (its the WeTransfer site)


2
RogueKiller / Re: ===> False Positives <===
« on: October 11, 2016, 04:31:59 PM »
Think I have some false positives here, see log below, The items I feel are false positive are in RED

1. hasplms.exe file is part of the ScanSnap software that comes with my fi-6130Z scanner the virustotal results here: https://www.virustotal.com/en/file/22c58e4bf558420fee5b2d6a8f15531c768f5814a18d5f5b20cdbc8479090319/analysis/1476191969/

2. The 3 reg keys are part of my Symantec Endpoint Protection version 12.1.6 (12.1 RU6 MP5) build 7004 (12.1.7004.6500) (AntiVirus)

3. The slack ones are part of the slack messenger v2.2.1

RogueKiller V12.7.1.0 (x64) [Oct 10 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : firefox [Administrator]
Started from : L:\Flash Drives\128GB Flash Drive Backup 5-26-2016\Tech CD\Utils\Ad Aware\Bleeping Computer Stuff\RogueKiller by tigzy\RogueKillerX64 V12.7.1.exe
Mode : Scan -- Date : 10/11/2016 08:13:03 (Duration : 00:38:04)

¤¤¤ Processes : 1 ¤¤¤
[Proc.RunPE] hasplms.exe(5536) -- C:\Windows\System32\hasplms.exe[7] -> Found

¤¤¤ Registry : 11 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BHDrvx64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\BASHDefs\20160922.001\BHDrvx64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\EX64.SYS) -> Found

[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Suspicious.Path][File] C:\Users\firefox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Slack.lnk [LNK@] C:\Users\firefox\AppData\Local\slack\Update.exe --processStart "slack.exe" -a "--startup" -> Found
[PUP][Folder] C:\Users\firefox\AppData\Roaming\Download Manager -> Found
[PUP][Folder] C:\Users\firefox\AppData\Local\PackageAware -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][FIREFX:Config] hcdjlx88.default : user_pref("browser.startup.homepage", "https://forums.malwarebytes.org/"); -> Found


¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] 9a58401060fd78b7ced0042be99fe3e8
[BSP] a4478fcfe5b4c86f09d53598ed58a5e2 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 750 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1617920 | Size: 367112 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 753463296 | Size: 1539826 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] d4ecfbd1a1d3c4917af6d6d28c8c95d7
[BSP] 6f5fe8da57fa68252ca31cc6e5d209fd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- M.S./M.S.Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Kanguru SS3 USB Device +++++
--- User ---
[MBR] 94f9443d96441ecfcdafb5853a2e8a7e
[BSP] 39eaafe8c7c2f2a60c9df4ab5a671e21 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 120348 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


3
RogueKiller / Re: RogueKiller 11 beta
« on: October 27, 2015, 10:32:19 PM »
Sorry Tigzy I got busy and just now was able to test it. 

I downloaded and ran version 11 beta 8 with no issues this time around.

4
RogueKiller / Re: RogueKiller 11 beta
« on: October 05, 2015, 08:43:17 PM »
Thanks for the opportunity to test this beta out.

I have ran it on a Windows 10 64bit VM not much installed on it.  Any who it did cause an issue where the computer rebooted.  I have attached the minidump file for your review.

5
RogueKiller / Report displays wrong OS installed
« on: August 04, 2015, 03:23:00 PM »
Sorry if this has already been mentioned, but I looked under known issues and did not find it listed.

Scanning on a Windows 10 VM (Windows 10 Pro Insider Preview), the report shows I have Windows 8 installed, as shown below

RogueKiller V10.9.4.0 (x64) [Jul 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : user [Administrator]
Started from : C:\Users\user\Downloads\RogueKillerX64 V10.9.4.exe
Mode : Scan -- Date : 08/04/2015 08:18:12

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: VMware, VMware Virtual S SCSI Disk Device +++++
--- User ---
[MBR] 0df87b8e160b929b702fed916fcbbeb5
[BSP] 97839cedc6ed527ff9d69037b85a8d90 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 61438 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )


6
RogueKiller / Re: RogueKiller stops prescan at 80%
« on: April 07, 2015, 10:05:27 PM »
Just tested version 10.5.9.0 (x64) and no problems with Symantec Endpoint Protection and also thanks for fixing the false positive with Malwarebytes Secure backup, it is no longer detected.

Great Work!

7
RogueKiller / Re: RogueKiller stops prescan at 80%
« on: March 30, 2015, 06:14:50 PM »
Curson just an FYI... I downloaded version 10.5.8x64 and tried this version to see if I still got the same errors.  I was able to complete a Pre-scan with no detections about Symantec Endpoint Protection, I did however get a false positive with Malwarebytes Secure backup. See log below:

RogueKiller V10.5.8.0 (x64) [Mar 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : owner [Administrator]
Started from : L:\Flash Drives\128GB Flash Drive Backup\Tech CD\Utils\Ad Aware\Bleeping Computer Stuff\RogueKiller by tigzy\RogueKillerX64 V10.5.8.exe
Mode : Scan -- Date : 03/30/2015  11:10:32

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] mbsbscan.exe(9528) -- C:\Program Files (x86)\Malwarebytes Secure Backup\mbsbscan.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 9 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 36 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 52 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] hcdjlx88.default : user_pref("browser.startup.homepage", "http://www.bleepingcomputer.com/forums/|https://forums.malwarebytes.org/|http://www.systemlookup.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] 9a58401060fd78b7ced0042be99fe3e8
[BSP] a4478fcfe5b4c86f09d53598ed58a5e2 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 750 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1617920 | Size: 367112 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 753463296 | Size: 1539826 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] d4ecfbd1a1d3c4917af6d6d28c8c95d7
[BSP] 6f5fe8da57fa68252ca31cc6e5d209fd : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: Kanguru SS3 USB Device +++++
--- User ---
[MBR] 94f9443d96441ecfcdafb5853a2e8a7e
[BSP] 39eaafe8c7c2f2a60c9df4ab5a671e21 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 120348 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Generic- M.S./M.S.Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


8
RogueKiller / Re: RogueKiller stops prescan at 80%
« on: March 23, 2015, 03:25:46 PM »
Thanks for the continued info, hope you guys nail it down, as I have that setup on many computers.

Look forward to the fix.

9
RogueKiller / Re: RogueKiller stops prescan at 80%
« on: March 23, 2015, 02:01:53 AM »
Well the scan did go up to 4% and then locked up once again, then would not move from there. I ended the task in task manager and then re-launched rouguekiller. This time it completed the prescan and also was able to complete the scan I ran.  The report is below if that helps with the fixing of the issue...

RogueKiller V10.5.7.0 (x64) [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Firefox [Administrator]
Started from : C:\temp\RogueKillerX64 V10.5.7.exe
Mode : Scan -- Date : 03/22/2015  19:54:54

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) IDSVia64 -- \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys[7] -> ERROR [41c]

¤¤¤ Registry : 16 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 27 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\drivers\symefasi\0500010.01F\symefasi.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\drivers\symefasi\0500010.01F\symefasi.sys)
[IAT:Addr(Hook.IEAT)] (iexplore.exe) msvcrt.dll - memcpy : C:\Program Files (x86)\Stardock\ObjectDockPlus2\Dock64.dll @ 0x2eb8030
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileA :  @ 0x0 ()

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] ljcy9al9.default : user_pref("browser.startup.homepage", "https://forums.malwarebytes.org/|http://www.bleepingcomputer.com/forums/|http://www.systemlookup.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103UJ ATA Device +++++
--- User ---
[MBR] 074b342e6503d998a5f55dd94a2f3549
[BSP] 3cfc57663abb2195f66e045b394cdbf0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 976762880 | Size: 476933 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG HD103UJ ATA Device +++++
--- User ---
[MBR] a3e94eac8201feabc51ff6a00d3a1123
[BSP] e3b27120b8c9e7a10f8d5b6df0d6a6da : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TEAC USB   HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: TEAC USB   HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: TEAC USB   HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: TEAC USB   HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: KANGURU SS3 USB Device +++++
--- User ---
[MBR] 39d4b669dd54e10382bd49dd16a68f0a
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 60300 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_03222015_194500.log


10
RogueKiller / Re: RogueKiller stops prescan at 80%
« on: March 23, 2015, 01:36:14 AM »
Thanks for that info, also I noticed there was a new update v10.5.7... This version works now, as it does not get stuck, however I still get an error or process terminated for Symantec Endpoint Protection... See image.

When I ran the scan it got stuck at 3% and now says not responding... let it sit for a while and it came back, will let you know if it completes...


11
RogueKiller / Re: RogueKiller stops prescan at 80%
« on: March 19, 2015, 04:32:31 PM »
Thanks for the additional update, I will try in safe mode, Windows 8 is a little trickier to get to safe mode....

Anyway look forward to an update and fix.  Thanks

12
RogueKiller / Re: RogueKiller stops prescan at 80%
« on: March 18, 2015, 09:51:31 PM »
Thanks for the Welcome!  8)

Thanks for getting back to me, I figured as much just thought I would share it just in case the info was needed or further testing was required. Look forward to a fix.

In the meantime, is there a work around?

13
RogueKiller / RogueKiller stops prescan at 80%
« on: March 17, 2015, 03:49:54 PM »
I am trying to use RogueKiller v10.5.5.0x64 to scan a couple of computers with Symantec Endpoint Protection v12.1.5 (a couple to confirm I get the same results).  During the pre-scan process it stops scanning once it hits 80% and while checking services: NAVENG.  I attached the screenshot.  Also I was trying to get a dump using Process explorer, but RogueKiller also kills the process before I can use it to get the dump.

Any help appreciated... This has been happening for a few versions back as well.

Pages: [1]