Author Topic: Please help me with scan result  (Read 6148 times)

0 Members and 1 Guest are viewing this topic.

July 26, 2014, 07:24:25 AM

maricole

  • Guest
Please help me with scan result
« on: July 26, 2014, 07:24:25 AM »
Hello. I ran RogueKiller as recommended to remove a browser redirect virus. My redirect problem used to be MySeachDial and now Yahoo. I deleted all the oranges under registry. However, I see some have 'error [2]'. I don't know what to do with the grays and two orange entries under rootkit. Please advice.

Reply #1July 28, 2014, 11:39:18 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Please help me with scan result
« Reply #1 on: July 28, 2014, 11:39:18 AM »
Quote
RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Norikoul [Admin rights]
Mode : Remove -- Date : 07/25/2014  14:37:32

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 27 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\Run | GenieoUpdaterService : "C:\Users\Norikoul\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe" -wait 5
  • -> DELETED
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\Run | GenieoSystemTray : "C:\Users\Norikoul\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe"
  • -> DELETED
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\Run | MediaFire Tray : "C:\Users\Norikoul\AppData\Local\MediaFire Desktop\mf_watch.exe" --boot-start
  • -> DELETED
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\Run | GenieoUpdaterService : "C:\Users\Norikoul\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe" -wait 5  -> ERROR [2]
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\Run | GenieoSystemTray : "C:\Users\Norikoul\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe"  -> ERROR [2]
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\Run | MediaFire Tray : "C:\Users\Norikoul\AppData\Local\MediaFire Desktop\mf_watch.exe" --boot-start  -> ERROR [2]
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del91458097 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del"
  • -> DELETED
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del92122365 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del"
  • -> DELETED
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | DelTr4273818 : cmd.exe /c rd /s /q  "C:\Users\Norikoul\AppData\Roaming\mysearchdial"
  • -> DELETED
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del91458097 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del"
  • -> DELETED
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del92122365 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del"
  • -> DELETED
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | DelTr4273818 : cmd.exe /c rd /s /q  "C:\Users\Norikoul\AppData\Roaming\mysearchdial"
  • -> DELETED
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del91458097 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del"  -> ERROR [2]
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del92122365 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del"  -> ERROR [2]
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | DelTr4273818 : cmd.exe /c rd /s /q  "C:\Users\Norikoul\AppData\Roaming\mysearchdial"  -> ERROR [2]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MF NTFS Monitor -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCDSRVC{2368CD8C-B0B7C4E5-06020101}_0 -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MF NTFS Monitor -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCDSRVC{2368CD8C-B0B7C4E5-06020101}_0 -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MF NTFS Monitor -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCDSRVC{2368CD8C-B0B7C4E5-06020101}_0 -> NOT SELECTED
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> NOT SELECTED
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED

¤¤¤ Scheduled tasks : 3 ¤¤¤
[Suspicious.Path] Digital Sites.job -- C:\Users\Norikoul\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> DELETED
[Suspicious.Path] \\Digital Sites -- C:\Users\Norikoul\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> DELETED
[Suspicious.Path] \SaveDailyDeals\Updater\SaveDailyDeals updater -- C:\Windows\TEMP\1009.exe (/update /killb) -> DELETED

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 2 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\UBHelper @ \Device\UBHelper0 (\SystemRoot\system32\DRIVERS\atikmdag.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\NTIDrvr @ \Device\NTIDrvr1 (\??\C:\Windows\system32\drivers\UBHelper.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2565GSX ATA Device +++++
--- User ---
[MBR] 07ab5bb391448b0fd248d2ae615d1b54
[BSP] c0ed2e26908bcda25363a784cc81afcc : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31459328 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31664128 | Size: 223013 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_07252014_140727.log

Reply #2July 28, 2014, 11:42:51 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Please help me with scan result
« Reply #2 on: July 28, 2014, 11:42:51 AM »
Hello
This is a bug I have to fix, not a big problem. Look:

Quote
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del91458097 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del" -> DELETED
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3252924142-313350365-2090274538-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce | Del91458097 : cmd.exe /Q /D /c del "C:\Users\Norikoul\AppData\Local\Temp\0.del"  -> ERROR [2]

Some registry x86 views are a totally other registry key than the x64 view, some are a mirror. I have to take and look at them one by one.
In that case it's clear that it's a mirror (key is already removed by the previous line). BTW Error 2 means ERROR_FILE_NOT_FOUND.

Reply #3July 29, 2014, 06:50:22 AM

maricole

  • Guest
Re: Please help me with scan result
« Reply #3 on: July 29, 2014, 06:50:22 AM »
Thank you very much, Tigzy. I admire your knowledge. I assume from your reply that I can just leave them alone.

Reply #4July 29, 2014, 09:02:27 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Please help me with scan result
« Reply #4 on: July 29, 2014, 09:02:27 AM »
Yes. And if you redo a scan my 2 cents that it's gone already :)