Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - counselorgene

Pages: [1]
1
RogueKiller / Re: ===> False Positives <===
« on: February 08, 2017, 08:11:02 PM »
Thank you, Curson!

I will strongly consider buying the premium version of your software. While some entries were false positives, I appreciate that it did find some entrees that were viral.

Thanks again!

2
RogueKiller / Re: ===> False Positives <===
« on: February 08, 2017, 07:27:26 AM »
Hi Curson,

Thanks for that info. I deleted the [Root.Necurs] entries. Here is what populates now. I believe this all related to Dr. Web, but maybe not. I ran the program in both Normal WIN operating conditions and Safe Mode. See the output below for both:

--------------------------------------------------------------------------------------------------------

Normal WIN Operating Conditions:

¤¤¤ Processes : 63 ¤¤¤
[Proc.Injected] wininit.exe(576) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(636) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(688) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(760) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(804) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(896) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(932) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(976) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(1000) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] igfxCUIService.exe(504) -- C:\Windows\System32\igfxCUIService.exe[7] -> Found
[Proc.Injected] svchost.exe(652) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(884) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] spoolsv.exe(1228) -- C:\Windows\System32\spoolsv.exe[-] -> Found
[Proc.Injected] svchost.exe(1252) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] armsvc.exe(1456) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[7] -> Found
[Proc.Injected] taskhostex.exe(1480) -- C:\Windows\System32\taskhostex.exe[7] -> Found
[Proc.Injected] explorer.exe(1584) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] AdminService.exe(1636) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe[-] -> Found
[Proc.Injected] officeclicktorun.exe(1656) -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[7] -> Found
[Proc.Injected] svchost.exe(1692) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dasHost.exe(1708) -- C:\Windows\System32\dasHost.exe[-] -> Found
[Proc.Injected] dwservice.exe(1744) -- C:\Program Files\DrWeb\dwservice.exe[7] -> Found
[Proc.Injected] svchost.exe(1772) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] HeciServer.exe(1860) -- C:\Program Files\Intel\iCLS Client\HeciServer.exe[7] -> Found
[Proc.Injected] Jhi_service.exe(1940) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[7] -> Found
[Proc.Injected] HotkeyUtility.exe(1532) -- C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe[7] -> Found
[Proc.Injected] RosettaStoneDaemon.exe(2164) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[7] -> Found
[Proc.Injected] svchost.exe(2272) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwengine.exe(2960) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[7] -> Found
[Proc.Injected] dwantispam.exe(2344) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwantispam.exe[7] -> Found
[Proc.Injected] dwarkdaemon.exe(2436) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[7] -> Found
[Proc.Injected] PresentationFontCache.exe(2520) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[7] -> Found
[Proc.Injected] svchost.exe(3232) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] SearchIndexer.exe(3304) -- C:\Windows\System32\SearchIndexer.exe[-] -> Found
[Proc.Injected] igfxHK.exe(3496) -- C:\Windows\System32\igfxHK.exe[7] -> Found
[Proc.Injected] igfxTray.exe(3504) -- C:\Windows\System32\igfxTray.exe[7] -> Found
[Proc.Injected] igfxEM.exe(3676) -- C:\Windows\System32\igfxEM.exe[7] -> Found
[Proc.Injected] BtvStack.exe(3928) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[-] -> Found
[Proc.Injected] RAVCpl64.exe(3960) -- C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[7] -> Found
[Proc.Injected] ActivateDesktop.exe(3976) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[-] -> Found
[Proc.Injected] dwwatcher.exe(4008) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwwatcher.exe[7] -> Found
[Proc.Injected] frwl_svc.exe(3936) -- C:\Program Files\DrWeb\frwl_svc.exe[7] -> Found
[Proc.Injected] dwnetfilter.exe(4128) -- C:\Program Files\DrWeb\dwnetfilter.exe[7] -> Found
[Proc.Injected] spideragent.exe(4136) -- C:\Program Files\DrWeb\spideragent.exe[7] -> Found
[Proc.Injected] ClassicStartMenu.exe(4336) -- C:\Program Files\Classic Shell\ClassicStartMenu.exe[-] -> Found
[Proc.Injected] netsession_win.exe(4360) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] netsession_win.exe(4456) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] CCleaner64.exe(4492) -- C:\Program Files\CCleaner\CCleaner64.exe[7] -> Found
[Proc.Injected] ArcServer.exe(4516) -- C:\Program Files (x86)\Acer Remote\ArcServer.exe[-] -> Found
[Proc.Injected] hpwuschd2.exe(4540) -- C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[7] -> Found
[Proc.Injected] wmplayer.exe(4636) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe[-] -> Found
[Proc.Injected] frwl_notify.exe(4648) -- C:\Program Files\DrWeb\frwl_notify.exe[7] -> Found
[Proc.Injected] firefox.exe(4444) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] firefox.exe(4832) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] DeviceDetector.exe(5368) -- C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe[-] -> Found
[Proc.Injected] RIconMan.exe(588) -- C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[-] -> Found
[Proc.Injected] IntuitUpdateService.exe(5496) -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe[7] -> Found
[Proc.Injected] LMS.exe(3792) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[7] -> Found
[Proc.Injected] NASvc.exe(5648) -- c:\Program Files (x86)\Nero\Update\NASvc.exe[7] -> Found
[Proc.Injected] UNS.exe(5624) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7] -> Found
[Proc.Injected] wmpnetwk.exe(2688) -- C:\Program Files\Windows Media Player\wmpnetwk.exe[-] -> Found
[Proc.Injected] drwupsrv.exe(6140) -- C:\Program Files\Common Files\Doctor Web\Updater\drwupsrv.exe[7] -> Found
[Proc.Injected] conhost.exe(2292) -- C:\Windows\System32\conhost.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



SAFE MODE:

¤¤¤ Processes : 14 ¤¤¤
[Proc.Injected] wininit.exe(464) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(516) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(576) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(688) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(784) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(832) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(908) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(948) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(384) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(376) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1220) -- C:\Windows\System32\dllhost.exe[7] -> Found
[Proc.Injected] WmiPrvSE.exe(1320) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found
[Proc.Injected] WmiPrvSE.exe(1800) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



--------------------------------------------------------------------------------------------------------

Let me know what you think. Thank you!

3
RogueKiller / Re: ===> False Positives <===
« on: February 07, 2017, 07:08:18 PM »
Hi Curson,

Thanks for getting back to me. I've done all this and here are links to the files on my google drive. I created a .ZIP and a .RAR just in case:

https://drive.google.com/file/d/0B5U9vVVDQn6iazYxa1V2anYyUGc/view (ZIP)
https://drive.google.com/file/d/0B5U9vVVDQn6idGRLMXA0a3VJWm8/view (RAR).

Let me know if you have any issues accessing or reading them.

Thanks for your help!

4
RogueKiller / Re: ===> False Positives <===
« on: February 07, 2017, 06:29:42 AM »
Hi there,

First I want to tell you I love your program.
I analyzed my system with RogueKiller. Please see my output below. I've got Dr. Web Security Space as well as MalwareBytes on the machine. I also have Sophos Virus Removal Tool installed on the system. I used to have Advanced System Care on this machine but recently removed it because it was likely helping to compromise my system. I received several Proc.Injected, Root.Necurs, and PUM.HomePage entrees. I ran in Safe Mode.
Please let me know if this is a true infection or false positive, based on what you see:

----------------------------------------------------------------------------------------------------

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Safe mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/06/2017 21:36:42 (Duration : 00:18:59)

¤¤¤ Processes : 12 ¤¤¤
[Proc.Injected] wininit.exe(456) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(520) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(572) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(680) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(772) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(808) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(840) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(880) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(348) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(468) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1224) -- C:\Windows\System32\dllhost.exe[7] -> Found

¤¤¤ Registry : 9 ¤¤¤
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97855176CB095D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F9785531D1ACAC5 -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978556B1AA1B1D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978557637EA65F -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97856826CFAA11 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK
-------------------------------------------------------------------------------------------------------

Thank you!

Pages: [1]