Author Topic: Help to understand rapport  (Read 5443 times)

0 Members and 1 Guest are viewing this topic.

October 26, 2014, 05:23:19 PM

ROUGEXIII

  • Guest
Help to understand rapport
« on: October 26, 2014, 05:23:19 PM »
Hi,

I need some help to make good decisions:

Quote
RogueKiller V10.0.3.0 [Oct 22 2014] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : https://www.surlatoile.org/RogueKiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Démarré en  : Mode normal
Utilisateur : Nous [Administrateur]
Mode : Scan -- Date : 10/25/2014  19:32:24

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 17 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{987D9269-F8A1-408F-BF62-4397D2F5363E} -> Trouvé(e)
[PUP] HKEY_CLASSES_ROOT\CLSID\{E0722BEB-FDA1-4AA1-A2A8-15A74A5B3F70} -> Trouvé(e)
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home  -> Trouvé(e)
[PUM.HomePage] HKEY_USERS\S-1-5-21-1957994488-1425521274-682003330-500\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome  -> Trouvé(e)
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Trouvé(e)
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1957994488-1425521274-682003330-500\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Trouvé(e)
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 208.67.220.220 208.122.23.23 208.122.23.22  -> Trouvé(e)
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 208.67.220.220 208.122.23.23 208.122.23.22  -> Trouvé(e)
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 208.67.220.220 208.122.23.23 208.122.23.22  -> Trouvé(e)
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0A2E286A-785D-49A1-A636-8F7D7F1F4386} | DhcpNameServer : 208.67.220.220 208.122.23.23 208.122.23.22  -> Trouvé(e)
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0A2E286A-785D-49A1-A636-8F7D7F1F4386} | DhcpNameServer : 208.67.220.220 208.122.23.23 208.122.23.22  -> Trouvé(e)
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0A2E286A-785D-49A1-A636-8F7D7F1F4386} | DhcpNameServer : 208.67.220.220 208.122.23.23 208.122.23.22  -> Trouvé(e)
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | AntiVirusDisableNotify : 1  -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | FirewallDisableNotify : 1  -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | UpdatesDisableNotify : 1  -> Trouvé(e)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 4 (Driver: Chargé) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\kbdclass.sys - IRP_MJ_READ[3] : C:\WINDOWS\system32\DRIVERS\ETD.sys @ 0xb8cc0232
[IAT:Addr] (explorer.exe @ sti.dll) CFGMGR32.dll - CM_Reenumerate_DevNode : C:\WINDOWS\system32\SETUPAPI.dll @ 0x779526a5
[IAT:Addr] (explorer.exe @ sti.dll) CFGMGR32.dll - CM_Get_DevNode_Status : C:\WINDOWS\system32\SETUPAPI.dll @ 0x778ec6eb
[IAT:Addr] (explorer.exe @ sti.dll) CFGMGR32.dll - CM_Get_Parent : C:\WINDOWS\system32\SETUPAPI.dll @ 0x77957a5d

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 PRO Seri +++++
--- User ---
[MBR] 208f510a80af32364f8196da8cedcbea
[BSP] 0afb9cfab2278a3298fd112f205eb557 : Linux MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 15629 MB
1 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 32010240 | Size: 228568 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST9500325AS +++++
--- User ---
[MBR] 24060d8113abc9930276cd2d7ece5a9d
[BSP] 8507159843d684491861c95d35f79b6f : Linux|Legit.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 15262 MB
1 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 31260670 | Size: 461676 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_09172014_161943.log - RKreport_SCN_10252014_183030.log

THis computer is a laptop initially under windows 7 i formated and work now from 6 month under windows xp (yes yes...) So some driver were hard to find but all work now.
I added a samsung SSD.
I use zone alarm firewall (for blocing some unwanted outgoing traffic first)
I have truecrypt running.

First i wanted to know if rootkits warn are legit or false positive?
And second if in register execpt the 3 PUM.SecurityCenter (i disable by myself) i have to remove them?

Thank you for help,
(And sorry for my english!)
« Last Edit: October 26, 2014, 05:28:15 PM by ROUGEXIII »

Reply #1October 27, 2014, 08:36:11 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Help to understand rapport
« Reply #1 on: October 27, 2014, 08:36:11 AM »
Hello
The rootkit section looks like false positives.
They will be added.

for the DNS, could you google the IPs to check if the country looks good to you? It should be in the same country as you.

Reply #2October 27, 2014, 08:22:38 PM

ROUGEXIII

  • Guest
Re: Help to understand rapport
« Reply #2 on: October 27, 2014, 08:22:38 PM »
Thanks for the answer.

I have configured my wifi repeater (router with DD-WRT) with the fastest DNS i found: 208.67.220.220 here in Montreal (Quebec, Canada).
It also seem to concorde?
And i forget to write sometime i use VirtualBox on the computer, dont know if it matters (but it creater new network connection)

Are the both PUP detection in register OK?

Malwarebyte found nothing.

Reply #3October 28, 2014, 01:30:22 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Help to understand rapport
« Reply #3 on: October 28, 2014, 01:30:22 PM »
PUPs can be removed indeed (Potentially Unwanted Software)