Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Ruizi Lin

Pages: [1]
1
RogueKiller / Re: Scan Log
« on: April 21, 2017, 10:13:12 PM »
Hi no I'm from Singapore. Thanks for the advice. The deletion log is attached.

2
RogueKiller / Re: Scan Log
« on: April 21, 2017, 06:20:56 PM »
Hi here it is, thanks a lot!


RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Lin Ruizi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/21/2017 22:46:59 (Duration : 00:40:33)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 19 ¤¤¤
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ByteFenceService ("C:\Program Files\ByteFence\ByteFenceService.exe") -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FirefoxDL ("C:\Users\LINRUI~1\AppData\Local\Temp\fE440.tmp\QQBrowser.exe" -isvc) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a15ef035-b447-4258-8ef5-8f693f06c9e4} | DhcpNameServer : 192.15.128.24 ([United Arab Emirates])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 6 ¤¤¤
[PUP.ByteFence|PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware -> Found
[PUP.Ghokswa][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.ByteFence|PUP.Gen1][Folder] C:\Program Files\ByteFence -> Found
[PUP.Ghokswa][Folder] C:\Program Files (x86)\Firefox -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SD8SNAT256G1002 +++++
--- User ---
[MBR] 76a3e864959330840f047da5e2ecbca0
[BSP] 82f7a7df82cffadfe275867bb4734edd : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 243422 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 499095552 | Size: 499 MB
User = LL1 ... OK
User = LL2 ... OK


3
RogueKiller / Scan Log
« on: April 20, 2017, 03:26:18 PM »
Hi, have not been able to scan my laptop in very long as have been busy with work. Apparently it's very infected. Could someone kindly tell me which ones are legit? Thanks very much.

RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Lin Ruizi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/20/2017 20:47:03 (Duration : 00:36:56)

¤¤¤ Processes : 2 ¤¤¤
[Proc.Svchost] svchost.exe(8452) --
  • -> Found
[PUP.Ghokswa|VT.Adware.Elex] (SVC) FirefoxU -- "C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe"[7] -> Found

¤¤¤ Registry : 21 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ByteFenceService ("C:\Program Files\ByteFence\ByteFenceService.exe") -> Found
[PUP.Ghokswa|VT.Adware.Elex] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FirefoxU ("C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe") -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a15ef035-b447-4258-8ef5-8f693f06c9e4} | DhcpNameServer : 192.15.128.24 ([United Arab Emirates])  -> Found
[PUP.Ghokswa|VT.Adware.Elex] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {31CF73E3-DB6F-4C4D-8F2F-5BC7F9260232} : v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe|Name=Update service| [7] -> Found
[PUP.Ghokswa|VT.Riskware ( 0040eff71 )] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3D8AC36A-4FE2-48AE-8BD3-1A5B6738FFEF} : v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [7] -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 11 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.Ghokswa][File] C:\Users\Public\Desktop\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.Ghokswa][File] C:\Users\Lin Ruizi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.Ghokswa][Folder] C:\Users\Lin Ruizi\AppData\Roaming\Firefox -> Found
[PUP.Ghokswa][Folder] C:\Users\Lin Ruizi\AppData\Local\Firefox -> Found
[PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware -> Found
[PUP.Ghokswa][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.Gen1][Folder] C:\Program Files\ByteFence -> Found
[PUP.Ghokswa][Folder] C:\Program Files (x86)\Firefox -> Found
[PUP.Ghokswa][File] C:\Users\Public\Desktop\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] 9ihe183y.default : user_pref("browser.search.selectedEngine", "Yahoo! Powered Search"); -> Found
[PUM.SearchEngine][Firefox:Config] 9ihe183y.default : user_pref("browser.search.defaultenginename", "Yahoo! Powered Search"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SD8SNAT256G1002 +++++
--- User ---
[MBR] 76a3e864959330840f047da5e2ecbca0
[BSP] 82f7a7df82cffadfe275867bb4734edd : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 243422 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 499095552 | Size: 499 MB
User = LL1 ... OK
User = LL2 ... OK

 

4
RogueKiller / Help analyzing log
« on: October 03, 2016, 10:20:04 AM »
Hi sorry new to this and just tried running a scan for the first time, can anyone help me with interpreting the logfile and seeing which are real threats? Thanks a lot for any help.

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Ruizi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 10/03/2016 14:22:05 (Duration : 01:42:58)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{1386F2A3-FEB9-4C55-AD9A-B798EE57299B} (C:\Program Files\BubbleSound\BubbleSound.dll) -> Found
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{7FDF7A92-F901-4F93-9769-A8AC41C8E563} (C:\Program Files\BubbleSound\BubbleSound.dll) -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SPPDCOM -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\WebApp -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\WebApp -> Found
[PUP] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1146AC44-2F03-4431-B4FD-889BC837521F}{bac261ec} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC} -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | 3D BubbleSound : "C:\Program Files\BubbleSound\3D BubbleSound.exe"
  • -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpKsl60ef2a9f (\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{95C7238F-614D-42D7-8406-1D51C6F033B6}\MpKsl60ef2a9f.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpKsl60ef2a9f (\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{95C7238F-614D-42D7-8406-1D51C6F033B6}\MpKsl60ef2a9f.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7B3B2863-3DEA-4AA7-8CA9-0ABE6206D5FF} | DhcpNameServer : 10.3.44.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7B3B2863-3DEA-4AA7-8CA9-0ABE6206D5FF} | DhcpNameServer : 10.3.44.1 ([])  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[PUP] \bvxvbxvd -- C:\Users\Ruizi\AppData\Local\bvxvbxvd\bvxvbxvd.exe -> Found

¤¤¤ Files : 4 ¤¤¤
[Suspicious.Path][File] C:\Users\Ruizi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk [LNK@] C:\ProgramData\{e8b0fc61-1f5e-6765-e8b0-0fc611f5f184}\hqghumeaylnlf.exe /startup -> Found
[PUP][File] C:\Users\Public\Desktop\Popcorn Time.lnk [LNK@] C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[PUP][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[PUP][Folder] C:\Program Files (x86)\Popcorn Time -> Found

Pages: [1]