Topics

1

RogueKiller / Some PUM DNS entries detected, anything to worry about?

« on: January 31, 2016, 07:57:17 pm »

So I got some PUM DNS entries while doing regular scans (so there have been no symptoms or anything, I just scan regularly to be sure). Log attached, I guess that they are just some false positives but it still would be nice if you could comment on them just to be certain.

"registry": [
            {
                "scan_what": 1,
                "scan_how": [
                    11
                ],
                "scan_how_trigger": 11,
                "vendors": [
                    "PUM.Dns"
                ],
                "rule_name": "DNS",
                "view": 256,
                "value": "DhcpNameServer",
                "subkey": "",
                "value_old_data": "",
                "value_data": "172.20.10.1",
                "path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{2f726e50-cd41-448e-81eb-c57027f22000}",
                "extra": "[X]",
                "files_status": "",
                "vtscore": -1,
                "files": [],
                "status_str": "Found",
                "status_choice": 1,
                "status_removed": 0
            },
            {
                "scan_what": 1,
                "scan_how": [
                    11
                ],
                "scan_how_trigger": 11,
                "vendors": [
                    "PUM.Dns"
                ],
                "rule_name": "DNS",
                "view": 256,
                "value": "DhcpNameServer",
                "subkey": "",
                "value_old_data": "",
                "value_data": "172.20.10.1",
                "path": "HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces\\{2f726e50-cd41-448e-81eb-c57027f22000}",
                "extra": "[X]",
                "files_status": "",
                "vtscore": -1,
                "files": [],
                "status_str": "Found",
                "status_choice": 1,
                "status_removed": 0

2

Malware removal help / Can someone comment on this IAT hook detection, false positive?

« on: November 16, 2015, 03:28:59 pm »

So, first off that F-Secure -related Zeus detection is false and happens with all computers that have F-secure, you should whitelist it.

But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)

However Roguekiller is the only program that detects anything, full scans by TDDSkiller, aswMBR, Kaspersky Virus Removal Tool, HitmanPro, ESET Online Scanner, Malwarebytes Anti-Malware and F-Secure have found nothing. I know that it's most likely just a false positive too just because of that, but could someone with more knowledge tell me if that one looks suspicious?

3

RogueKiller / Roguekiller wanted to upload a file called Bootstrap.dmp

« on: September 13, 2015, 02:54:07 am »

When I was doing a scan with RogueKiller as part of my regular paranoia checks (so no real reason for it, no infection symptoms or anything), it wanted to upload a file called bootstrap.dmp to virustotal, but at the end results didn't show any infections or anything (neither Avast, Malwarebytes or HitmanPro found anything). Should I worry about it? The file was located in folder C:\Users\Jukka-Admin\AppData\Local\Temp, and when I uploaded to VirusTotal it didn't show up as malicious.

Virustotal link: https://www.virustotal.com/en/file/37ac6199a62553aeebb8afa8eef9c3726daa3d85109bd535e1771afbbc6cb39e/analysis/1442101214/

Of course, I realize that it's just a dump file and thus even if it was related to some virus, it's not the culprit itself. It would be really nice to know if it just completely harmless. Also linking the scan log.