Messages

1

RogueKiller / Check this PUM out?It wasn't there before last time I scanned.Is this dangerous?

« on: March 25, 2018, 09:19:29 PM »

RogueKiller V12.12.9.0 (x64) [Mar 19 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/25/2018 19:49:59 (Duration : 00:26:33)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.SEH] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | EnableShellExecuteHooks : 1  -> Found
[PUM.SEH] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | EnableShellExecuteHooks : 1  -> Found

2

RogueKiller / Please analyze my log

« on: November 27, 2016, 01:49:16 PM »

¤¤¤ Registry : 4 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3234963918-1611741712-499426997-1002\Software\Microsoft\Windows\CurrentVersion\Run | BitTorrent : "C:\Users\****\AppData\Roaming\BitTorrent\updates\7.9.9_42924.exe"  /MINIMIZED [7] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3234963918-1611741712-499426997-1002\Software\Microsoft\Windows\CurrentVersion\Run | BitTorrent : "C:\Users\****\AppData\Roaming\BitTorrent\updates\7.9.9_42924.exe"  /MINIMIZED [7] -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3234963918-1611741712-499426997-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run | BitTorrent : "C:\Users\****\AppData\Roaming\BitTorrent\updates\7.9.9_42924.exe"  /MINIMIZED [7] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3234963918-1611741712-499426997-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run | BitTorrent : "C:\Users\****\AppData\Roaming\BitTorrent\updates\7.9.9_42924.exe"  /MINIMIZED [7] -> Found

Thanks

3

RogueKiller / Win32App_1

« on: November 01, 2016, 04:11:41 PM »

Got a new Entry in RK log:
[Hidden.ADS][] C::Win32App_1 -> Found

What is this? Wasn't there before. Is this a false positive?

Thanks

4

RogueKiller / Re: New log

« on: October 12, 2016, 09:41:34 AM »

Actually nevermind, I remember installing it now. It's still an FP though

5

RogueKiller / New log

« on: October 12, 2016, 09:01:58 AM »

Hi, are these false positives?

I've checked the files myself, are they part of the Win10? Because I don't remember downloading this tool

6

RogueKiller / RPEng folder

« on: July 20, 2016, 03:24:07 AM »

C:\Users\--\AppData\Roaming\RPEng

Latest Version RogueKiller just detected this folder as a PUP. Inside this folder there is another folder "402C6FBB7D9D4857868ED66F6CB63FB1" and in that folder there is a setup file called "TUU2014-FR-1day-AID1006172" Looks like this file had been there for a while as the creation date is 13 of February.

Is this file dangerous? I've tried looking up RPEng in google and looks like there are a lot of people with this folder on their PCs but it doesn't say if it's malicious or not

Thanks

7

RogueKiller / PUM Proxies

« on: July 14, 2016, 04:01:37 AM »

[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-01-02-03-04-05 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\18-1e-78-4f-62-5e -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-01-02-03-04-05 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\18-1e-78-4f-62-5e -> Found

Any idea what are these and where did they come from? Latest version RogueKiller detected those.


wpad is supposedly some sort of an auto proxy detection tool in Windows. I've looked up the timestamps for these entries and found out that one of them was created yesterday at the time when I launched my torrenting program. Are these entries dangerous or not?
Thanks


http://kb.k12usa.com/Knowledgebase/Proxy-Auto-Detect-WPAD-Issues-With-IE-Windows-7 - here is a topic on wpad

8

RogueKiller / Re: Strange profile in HKEY_USERS

« on: May 11, 2016, 05:20:34 PM »

Hey appreciate it Curson...

I think I figured it out. RogueKiller actually reads from hives on different drives as well. I had an ancient Windows installation on disk F and it read from there.
It definitely wasn't the case before though. RogueKiller used to read only from hives on disk C but looks like not anymore

9

RogueKiller / Re: Strange profile in HKEY_USERS

« on: May 11, 2016, 03:48:57 PM »

Yep, looks like it is indeed from RogueKiller.
After I restarted Windows that RK_Alex_ON_F_F24B entry was gone.
But then I ran roguekiller again and it reappeared with a slightly different name along with several others "RK" ones


Curson or Tigzy I could really use your help on this one...

Like I said it's the ancient profile that is not in use on the current Windows installation but for some reasons this profile is dug up upon launching RogueKiller...
It's the first time I see anything like this

10

RogueKiller / Strange profile in HKEY_USERS

« on: May 11, 2016, 03:41:29 PM »

I've noticed a strange profile in my registry named RK_Alex_ON_F_F24B.
Upon closer inspection turns out it was my old Windows profile from 2015 installation.
I have no idea how it got there. Could it be from RogueKiller since the first two letters are RK?
¤¤¤ Registry : 2 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\RK_Alex_ON_F_F24B\Software\Microsoft\Windows\CurrentVersion\Run | MP3 Skype recorder : C:\Users\Alex\AppData\Local\MP3 Skype recorder\MP3SkypeRecorder.exe

• -> Found

[Suspicious.Path] (X86) HKEY_USERS\RK_Alex_ON_F_F24B\Software\Microsoft\Windows\CurrentVersion\Run | MP3 Skype recorder : C:\Users\Alex\AppData\Local\MP3 Skype recorder\MP3SkypeRecorder.exe

• -> Found

Like I said this profile is ancient and is not in use anymore. I'm just wondering how the heck it's still in my registry even though I reinstalled windows

11

RogueKiller / Re: Partner entry

« on: January 25, 2016, 10:37:24 PM »

Thanks Curson.

I removed it again but I have a feeling it will come back sooner or later like always.
Interesting how it got there considering RK doesn't detect anything else and MBAM also.

12

RogueKiller / Partner entry

« on: January 25, 2016, 08:48:01 PM »

RK found this entry a while ago and I removed it.
However it seems like it came back upon the latest scan.

¤¤¤ Registry : 1 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Partner -> Found

What is this entry? I searched the forums and found out that some other people have it too. However there is no definite answer on this

I had it on my previous windows installation too. I reinstalled windows10 recently and it seems like it's still there

13

RogueKiller / Re: Skype VT.Unknown

« on: October 20, 2015, 07:53:33 PM »

Okay thanks. Are these IAT hooks that can be seen in the log legit or not though?

14

RogueKiller / Re: Skype VT.Unknown

« on: October 18, 2015, 08:25:48 PM »

Some more stuff was found after the scan completed

I included the log below

15

RogueKiller / Skype VT.Unknown

« on: October 18, 2015, 08:05:50 PM »

Is this a false positive?