Author Topic: Please help with report, what not to delete?  (Read 5555 times)

0 Members and 1 Guest are viewing this topic.

August 13, 2017, 02:41:03 PM

sabeleon

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Please help with report, what not to delete?
« on: August 13, 2017, 02:41:03 PM »
Hello,

Could you please help me with the report from RogueKiller scan of my PC. I'm really not sure what NOT to remove.
I'll give you my report.
Thank you very much.

** Report found threats by RogueKiller: **

RogueKiller V12.11.9.0 (x64) [Aug  3 2017] (Free) door Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Besturingssysteem : Windows 8.1 (6.3.9600) 64 bits version
Gestart in : Normale mode
Gebruiker : sandra [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Datum : 08/13/2017 12:47:53 (Duration : 00:12:58)

¤¤¤ Processen : 0 ¤¤¤

¤¤¤ Register : 14 ¤¤¤
[PUP.DriverPack] (X64) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\drpsu -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\Softonic -> Gevonden
[PUP.DriverPack] (X86) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\drpsu -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\Softonic -> Gevonden
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_F_9039\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5EC3041D-F02A-46A7-8F6E-A54CED2ACBBE} :

v2.0|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Sandra\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe|Name=Microsoft OneDrive|Edge=FALSE|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {77EBCB6B-C7B6-4E50-AD7D-A59E47B440BE} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KMSELDI.exe|Name=KMS Emulator: KMSELDI.exe|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {EE0619FD-81BF-4E56-B549-13F7B990886F} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KMSELDI.exe|Name=KMS Emulator: KMSELDI.exe|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {25F4FE16-969E-456E-9BE4-9D20812B8E34} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KMSServer.exe|Name=KMS Emulator: KMSServer.exe|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F034E27F-8376-49F7-B8B5-6EE9D5C78CE3} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KMSServer.exe|Name=KMS Emulator: KMSServer.exe|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D688CDCB-F6BB-4346-938D-D08EAF6C8D2F} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\Service_KMS.exe|Name=KMS Emulator: Service_KMS.exe|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F0BE443C-B41E-4919-B41D-616ECD0A33F2} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\Service_KMS.exe|Name=KMS Emulator: Service_KMS.exe|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {ADF785FE-A606-46AA-B3D9-4AC8B11E11E9} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\AutoPico.exe|Name=KMS Emulator: AutoPico.exe|
  • -> Gevonden
[PUP.HackTool] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {99F2A4DB-028D-4DDE-BA60-A21056A4BD2B} : v2.22|Action=Allow|

Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\AutoPico.exe|Name=KMS Emulator: AutoPico.exe|
  • -> Gevonden
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_F_9039\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5EC3041D-F02A-46A7-8F6E-A54CED2ACBBE} :

v2.0|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Sandra\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe|Name=Microsoft OneDrive|Edge=FALSE|
  • -> Gevonden


¤¤¤ Taken : 0 ¤¤¤

¤¤¤ Bestanden : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Host-bestand : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Geladen) ¤¤¤

¤¤¤ Web Browsers : 2 ¤¤¤
[PUM.HomePage][Firefox:Config] nunl31rw.default : user_pref("browser.startup.homepage", "http://www.adhdcafe-breda.nl|http://www.adhd-nederland.nl/opleiding-training-

workshops/opleiding-training-workshops/|https://www.zwartekat.nl/speellijsten/|http://mattkersley.com/responsive/|https://www.sitepoint.com/understanding-css-grid-systems/|

https://www.coursera.org/learn/website-coding?recoOrder=5&utm_medium=email&utm_source=recommendations&utm_campaign=recommendationsEmail%7Erecs_email_2016_06_12_17%3A57|

http://1stwebdesigner.com/fluid-grid-layout/| http://www.webwijzer.nl/leren-online/spaans-leren.html| http://www.dailymotion.com/video/x26ofhs_south-park-season-18-episode-1-go-fund-

yourself_shortfilms|http://www.uvh.nl/hoorcolleges/hoe-kan-ik-omgaan-met-kwetsbaarheid|http://www.techtimes.com/articles/187509/20161202/spiritual-religious-experiences-activate-same-

reward-circuits-in-the-brain-as-love-drugs-and-music.htm|https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&sacu=1&rip=1#identifier|

http://www.allradio.nl|http://radioplayer.npo.nl/radio2/|http://blog.teamtreehouse.com/css-positioning|file:///G:/@Actief%202015-2016/2015%20Studie%20-%20Uitvoering/AT%20Studie_zf%20-

%20Web%20development/Aantekeningen/Cheatsheets/css-selectors-overview.html|https://cloudfour.com/thinks/responsive-images-101-part-9-image-breakpoints/|https://www.google.nl/search?

q=hyperfocus+coaching&ie=utf-8&oe=utf-8&client=firefox-b-ab&gfe_rd=cr&ei=UW1SWISfD9LG8AfR9qL4Aw|https://www.google.nl/search?q=southpark+butters+fired+as+friend&ie=utf-8&oe=utf-

8&client=firefox-b-ab&gfe_rd=cr&ei=INCyWMLiJqPc8AeN54uADg#q=south+park+episode+6+butters+fired&tbm=vid&start=40&*|http://www.ikleerinbeelden.nl/beelddenken/gedrag-

beelddenken/hyperfocu/"); -> Gevonden
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.nporadio2.nl/live|https://web.whatsapp.com/|chrome://bookmarks/|

http://localhost/sa_wordpress/pcrestarttest/wp-admin/|http://localhost/sa_wordpress/pcrestarttest/] -> Gevonden

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO M.2 250GB +++++
--- User ---
[MBR] f33236c0dc6a869a11a57cbdfc566395
[BSP] d458816dd0bfae263e728e0c4e880094 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 238123 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST2000DM001-1ER164 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2000 MB
2 - Basic data partition | Offset (sectors): 4360192 | Size: 1905599 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Samsung SSD 850 EVO 250GB +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: TOSHIBA MK2546GSX USB Device +++++
--- User ---
[MBR] 3211b6b6ffcc0acd2ef3cd3a39f3d612
[BSP] 11841e2f73041bd2ba3bb4e28d28256f : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 120360 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 249571328 | Size: 116614 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] De aanvraag wordt niet ondersteund. )

Reply #1August 13, 2017, 08:02:22 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Please help with report, what not to delete?
« Reply #1 on: August 13, 2017, 08:02:22 PM »
Hi sabeleon,

Welcome to Adlice.com Forum.
You can safetly remove the following entries as well as the [PUP.HackTool] ones :
Code: [Select]
[PUP.DriverPack] (X64) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\drpsu -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\Softonic -> Gevonden
[PUP.DriverPack] (X86) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\drpsu -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\RK_Sandra_ON_F_4EC1\Software\Softonic -> Gevonden

I strongly advice you to uninstall the KMSpico service, too.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Reply #2August 15, 2017, 12:16:01 PM

sabeleon

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: Please help with report, what not to delete?
« Reply #2 on: August 15, 2017, 12:16:01 PM »
Hi Curson,

Thank you for your reply including the advice!
No problem, you moved my thread, I will take this in account for a next post.

Regards,



Reply #3August 15, 2017, 02:37:46 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Please help with report, what not to delete?
« Reply #3 on: August 15, 2017, 02:37:46 PM »
Hi sabeleon,

You are very welcome.

Regards.