« previous next »
Pages: [1]

Author Topic: need some help to sort out the Report  (Read 6144 times)

0 Members and 1 Guest are viewing this topic.

September 12, 2014, 06:43:45 PM

mr108

  • Guest
need some help to sort out the Report
« on: September 12, 2014, 06:43:45 PM »
Hello,

I just downloaded the RogueKiller and had a first run. I managed to get some info about some of the scan results but some I don't  know how to handle.

Here is the scan report and below it my comments and questions (some comments are in red next to the line or in the report):

RogueKiller V9.2.10.0 (x64) [Jul 11 2014] by Adlice Software
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : <user> [Admin rights]
Mode : Scan -- Date : 09/12/2014  20:26:10

¤¤¤ Bad processes : 5 ¤¤¤
[Suspicious.Path] PromptService.exe -- C:\Windows\PromptService.exe[-] -> KILLED [TermProc] - this is a process related to FolderProtect software; it starts again when I run the software.
[Suspicious.Path] PromptService64.exe -- C:\Windows\PromptService64.exe[-] -> KILLED [TermProc]  - this is a process related to FolderProtect software; it starts again when I run the software.
[Suspicious.Path] explorer.exe -- C:\Windows\Secure64.dll[-] -> UNLOADED  - according to the info on this page http://www.freefixer.com/library/file/Secure64.dll-113348/ it is not dangerous.
[Suspicious.Path] (SVC) Change Modem Device Service -- "C:\ProgramData\ChgService.exe" -service[-] -> STOPPED - this I'm not sure about but I think it's related to a USB modem, but even when it's stopped the modem works OK
[Suspicious.Path] (SVC) ALSysIO -- \??\C:\Users\<user>\AppData\Local\Temp\ALSysIO64.sys
  • -> STOPPED - this one is related to Core Temp utility which stops functioning when this process stops; when I restart the utility it works OK again.

    I guess that the Registry entries related to the processes above that seem OK should be ignored.  The rest I'm not sure about.

    ¤¤¤ Registry Entries : 38 ¤¤¤
    [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PromptService : C:\Windows\PromptService.exe  -> FOUND
    [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PromptService64 : C:\Windows\PromptService64.exe  -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\<user>\AppData\Local\Temp\ALSysIO64.sys) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Change Modem Device Service ("C:\ProgramData\ChgService.exe" -service) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr (\??\C:\Users\<user>\AppData\Local\Temp\mbr.sys) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\<user>\AppData\Local\Temp\ALSysIO64.sys) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Change Modem Device Service ("C:\ProgramData\ChgService.exe" -service) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbr (\??\C:\Users\<user>\AppData\Local\Temp\mbr.sys) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\<user>\AppData\Local\Temp\ALSysIO64.sys) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Change Modem Device Service ("C:\ProgramData\ChgService.exe" -service) -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mbr (\??\C:\Users\<user>\AppData\Local\Temp\mbr.sys) -> FOUND
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=;ftp=;https=;  -> FOUND
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=;ftp=;https=;  -> FOUND
    [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskmgr : 0  -> FOUND
    [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskmgr : 0  -> FOUND
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> FOUND
    [PUM.SecurityCenter] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | FirewallDisableNotify : 1  -> FOUND
    [PUM.SecurityCenter] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Security Center | FirewallDisableNotify : 1  -> FOUND
    [PUM.SecurityCenter] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Security Center | FirewallDisableNotify : 1  -> FOUND
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> FOUND
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> FOUND
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> FOUND
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> FOUND
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> FOUND
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> FOUND
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> FOUND
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> FOUND
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> FOUND
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> FOUND
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> FOUND
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1617716308-982729750-1780838627-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

    ¤¤¤ Scheduled tasks : 2 ¤¤¤
    [Suspicious.Path] CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805}.job -- C:\Users\<user>\AppData\Local\Temp\cisC300.exe (--PostUninstall {15198508-521A-4D69-8E5B-B94A6CCFF805}) -> FOUND
    [Suspicious.Path] CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}.job -- C:\Users\<user>\AppData\Local\Temp\cisC300.exe (--PostUninstall {81EFDD93-DBBE-415B-BE6E-49B9664E3E82}) -> FOUND

    ¤¤¤ Files : 0 ¤¤¤


    ¤¤¤ Antirootkit : 8 (Driver: LOADED) ¤¤¤
    [IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\iaStor.sys - IRP_MJ_CREATE[0] : C:\Windows\system32\DRIVERS\idmwfp.sys @ 0x3b282c0
    [IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\iaStor.sys - IRP_MJ_CLOSE[2] : C:\Windows\system32\DRIVERS\idmwfp.sys @ 0x3b282c0
    [IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\iaStor.sys - IRP_MJ_DEVICE_CONTROL[14] : C:\Windows\system32\DRIVERS\idmwfp.sys @ 0x3b282c0
    [IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\iaStor.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : C:\Windows\system32\DRIVERS\idmwfp.sys @ 0x3b282c0
    [IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\iaStor.sys - IRP_MJ_POWER[22] : C:\Windows\system32\DRIVERS\idmwfp.sys @ 0x3b282c0
    [IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\iaStor.sys - IRP_MJ_SYSTEM_CONTROL[23] : C:\Windows\system32\DRIVERS\idmwfp.sys @ 0x3b282c0
    [IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\iaStor.sys - IRP_MJ_PNP[27] : C:\Windows\system32\DRIVERS\idmwfp.sys @ 0x3b282c0
    [Filter(Kernel.Filter)] \Driver\Disk @ Unknown : \Driver\rvsystem @ Unknown (\SystemRoot\System32\drivers\rdyboost.sys)

    ¤¤¤ Web browsers : 0 ¤¤¤


    The entries below were NOT visible in the GUI at all


    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: WDC WD2500BEVT-08A23T1 +++++
    --- User ---
    [MBR] 28f102a9dd071f289a61c59d879cddbc
    [BSP] 0ec5265039d07e8ce23292699c45af96 : Lenovo MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
    1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 72113 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 150147072 | Size: 155160 MB
    3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 467914752 | Size: 10000 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: Seagate Portable USB Device +++++
    --- User ---
    [MBR] f0138e39e108e0cb65fa38d6fbcf80ae
    [BSP] 62da78c003abb3da65286c3f0968cf05 : HP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 64 | Size: 476937 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 976768065 | Size: 476929 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive2: WD 3200BEV External USB Device +++++
    --- User ---
    [MBR] ceb979a64cbc2ec8653721e3d86adc50
    [BSP] dda4cfa3184e0a9ee68e9af8a3875c47 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 16065 | Size: 305235 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 7 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_SCN_09122014_151947.log

    ----------------------------

    I would appreciate any help with sorting out the remaining entries if there is any indication of problems.
    Also I should mention that I could not get this report by clicking on the Report button - I had to open it in the Logs folder.

    Thanks in advance for any help.


Logged
Pages: [1]
« previous next »