Author Topic: Interpreting a report  (Read 7313 times)

0 Members and 1 Guest are viewing this topic.

June 09, 2014, 01:40:12 PM

Guilhem

  • Guest
Interpreting a report
« on: June 09, 2014, 01:40:12 PM »
Hi, I just ran Rogue Killer, and I'm not sure how I should interpret the results, as it is not clear to me if the identified entry are malware or false positive.
Could you help me interpret those ?

RogueKiller V9.0.2.0 (x64) [Jun  3 2014] par Adlice Software
Mail : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site Web : http://www.surlatoile.org/RogueKiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarrage : Mode normal
Utilisateur : Guilhem [Droits d'admin]
Mode : Recherche -- Date : 06/09/2014  13:15:59

¤¤¤ Processus malicieux : 0 ¤¤¤

¤¤¤ Entrées de registre : 13 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-73152508-187429424-2826586374-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 172.16.1.1:8080  -> TROUVÉ
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-73152508-187429424-2826586374-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 172.16.1.1:8080  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DAFB41F-FC1A-4463-9D2E-3CCEF59FCBD0} | NameServer : 138.48.4.4,138.48.4.10  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A610B0CA-33C9-4AAA-9BD2-32046014FEAB} | NameServer : 138.48.4.4,138.48.4.10  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8DD4622-CE6A-4430-8DA7-D5F28FEF27F7} | NameServer : 0.0.0.0  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3DAFB41F-FC1A-4463-9D2E-3CCEF59FCBD0} | NameServer : 138.48.4.4,138.48.4.10  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A610B0CA-33C9-4AAA-9BD2-32046014FEAB} | NameServer : 138.48.4.4,138.48.4.10  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B8DD4622-CE6A-4430-8DA7-D5F28FEF27F7} | NameServer : 0.0.0.0  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3DAFB41F-FC1A-4463-9D2E-3CCEF59FCBD0} | NameServer : 138.48.4.4,138.48.4.10  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{A610B0CA-33C9-4AAA-9BD2-32046014FEAB} | NameServer : 138.48.4.4,138.48.4.10  -> TROUVÉ
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B8DD4622-CE6A-4430-8DA7-D5F28FEF27F7} | NameServer : 0.0.0.0  -> TROUVÉ
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> TROUVÉ
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> TROUVÉ

¤¤¤ Tâches planifiées : 2 ¤¤¤
[Suspicious.Path] \\{28168AC3-63EA-47F4-9E0F-533F50F295C0} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Guilhem\AppData\Local\Temp\Temp1_ATKPackage_WIN7_32_WIN7_64_z100007.zip\Setup.exe) -> TROUVÉ
[Suspicious.Path] \\{DDB778F0-902E-45F9-A363-1F9F011A0309} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Guilhem\Downloads\Win7Vista_64_152257.exe -d C:\Users\Guilhem\Downloads) -> TROUVÉ

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier HOSTS : 0 ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Navigateurs web : 2 ¤¤¤
[PUM.Proxy][FIREFX:Config] xxy5dugl.default : user_pref("network.proxy.http", "172.16.1.1"); -> TROUVÉ
[PUM.Proxy][FIREFX:Config] xxy5dugl.default : user_pref("network.proxy.http_port", 8080); -> TROUVÉ

¤¤¤ MBR Verif : ¤¤¤
+++++ PhysicalDrive0: WDC WD6400BEVT-80A0RT1 +++++
--- User ---
[MBR] 38202aa4b5803961dd3e05dfe6f3c7b2
[BSP] 3d08166b18bfc7a96b227f534e974f6f : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 22003 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 45062328 | Size: 152620 MB
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 357629952 | Size: 435855 MB
User = LL1 ... OK
User = LL2 ... OK



Many thanks !

Reply #1June 09, 2014, 02:25:22 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Interpreting a report
« Reply #1 on: June 09, 2014, 02:25:22 PM »
Hello
You can remove everything except the DNS, which seems legit (Belgium)
« Last Edit: June 09, 2014, 02:26:58 PM by Tigzy »

Reply #2June 10, 2014, 11:59:49 PM

Guilhem

  • Guest
Re: Interpreting a report
« Reply #2 on: June 10, 2014, 11:59:49 PM »
Thanks