Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - DaggerDave

Pages: [1]
1
RogueKiller / Re: ==> Proc.Injected <==
« on: April 11, 2016, 03:22:57 PM »
Hi Curson,

Thanks for your help. 

Here are the contents of the text export of the report.  If am not sure whether the .json export of the report that I included in the zip archive might provide you with more details.

Quote
RogueKiller V12.1.1.0 (x64) [Apr  4 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : F:\Users\David\Downloads\Programs\RogueKillerX64.exe
Mode : Scan -- Date : 04/08/2016 10:03:13

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] ClipMate.exe(10364) -- O:\Program Files (x86)\ClipMate7\ClipMate.exe
  • -> Found


¤¤¤ Registry : 18 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AppSafe -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\ExpressFiles -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Lightspark Team -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\PIP -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WUDFRd (\SystemRoot\system32\DRIVERS\WUDFRd.sys) -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-960806728-1607608830-987004840-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy-nl.privateinternetaccess.com  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-960806728-1607608830-987004840-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy-nl.privateinternetaccess.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{36939f71-5de6-4be9-bbcb-7353241f72c7} | DhcpNameServer : 172.27.35.1 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8d862535-ff56-4dcc-adf7-e596795860d4} | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b0b3febb-ac5c-4c9f-afe2-b1f3b287dce8} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{df46461e-aaf3-4a0a-9a83-4ac6d1f4caea} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{36939f71-5de6-4be9-bbcb-7353241f72c7} | DhcpNameServer : 172.27.35.1 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8d862535-ff56-4dcc-adf7-e596795860d4} | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b0b3febb-ac5c-4c9f-afe2-b1f3b287dce8} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{df46461e-aaf3-4a0a-9a83-4ac6d1f4caea} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found

¤¤¤ Tasks : 3 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\AppCloudUpdater.job -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \AppCloudUpdater -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \DelayedItemsByChemtableSoftware\Send to OneNote -- "C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk" (/tsr) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 7 ¤¤¤
[PUP][CHROME:Addon] Default : EditThisCookie [fngmhnnpilhplaeedifhccceomclgfbg] -> Found
[PUP][CHROME:Addon] Default : Chromium browser automation [jmbmjnojfkcohdpkpjmeeijckfbebbon] -> Found
[PUP][CHROME:Addon] Default : Awesome Dictionary Widget [ANTP] [kdigjjbkpjljoknifbgaijaemafihhga] -> Found
[PUP][CHROME:Addon] Default : Awesome New Tab Page [mgmiemnjjchgkmgbeljfocdjjnpjnmcg] -> Found
[PUP][CHROME:Addon] Default : Click&Clean App [pdabfienifkbhoihedcgeogidfmibmhp] -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http", "209.240.134.74"); -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http_port", 80); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3000DM001-1CH166 +++++
--- User ---
[MBR] a7e800f69b4cb2500665500759a0a577
[BSP] e897dd8278912e0e2e18aad99cb66889 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 16065 | Size: 664124 MB
1 - Basic data partition | Offset (sectors): 1360143288 | Size: 404833 MB
2 - Basic data partition | Offset (sectors): 2189241810 | Size: 1136700 MB
3 - Basic data partition | Offset (sectors): 4517204902 | Size: 142310 MB
4 - Basic data partition | Offset (sectors): 4808656896 | Size: 513608 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD40E31X-00HY4A0 +++++
--- User ---
[MBR] 29c4d127450b4c0343ff25ed8f29e666
[BSP] 5d38ebc157718a81a78a39db4bd81b69 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 1883100 MB
2 - Basic data partition | Offset (sectors): 3856855040 | Size: 1668139 MB
3 - Basic data partition | Offset (sectors): 7273205760 | Size: 264075 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: ST3000DM001-1CH166 +++++
--- User ---
[MBR] 9e3cc1b6227003de1a2076ae3c805e83
[BSP] dd84239348de550d8f702fb1123363d6 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 228585 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: ADATA SX900 +++++
--- User ---
[MBR] e3854da19d52a76bcb4108a8de60e198
[BSP] 1535218b785a463a7343d6643ab38b68 : Empty|VT.Unknown MBR Code
Partition table:
0 -  | Offset (sectors): 40 | Size: 244198 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Generic- SM/xD Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive7: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive8: TRUSTED Mass Storage USB Device +++++
--- User ---
[MBR] 1bb36fb0db2124e6ef43a147496e1e5d
[BSP] 6bb52253c0292faa1444fc34eb5cf779 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - DROBO GPT PARTITION | Offset (sectors): 40 | Size: 16777088 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive9: Microsoft Virtual Disk +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 102270 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )


2
RogueKiller / Re: ==> Proc.Injected <==
« on: April 08, 2016, 05:06:26 PM »
Hello.

Roguekiller is reporting Proc.Injected for Clipmate.exe.  Should I be concerned?

Link to zip containing dmp and log: https://www.dropbox.com/s/p74pwptzffr37gz/ClipMate.dmp.zip?dl=0

Thank you.

Pages: [1]