Author Topic: RogueKiller stops prescan at 80%  (Read 14287 times)

0 Members and 2 Guests are viewing this topic.

March 17, 2015, 03:49:54 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
RogueKiller stops prescan at 80%
« on: March 17, 2015, 03:49:54 PM »
I am trying to use RogueKiller v10.5.5.0x64 to scan a couple of computers with Symantec Endpoint Protection v12.1.5 (a couple to confirm I get the same results).  During the pre-scan process it stops scanning once it hits 80% and while checking services: NAVENG.  I attached the screenshot.  Also I was trying to get a dump using Process explorer, but RogueKiller also kills the process before I can use it to get the dump.

Any help appreciated... This has been happening for a few versions back as well.
Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #1March 18, 2015, 10:51:43 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #1 on: March 18, 2015, 10:51:43 AM »
Hi firefoxthebomb,

Welcome to Adlice.com Forum!
The behaviour you described is a known bug. We strive to solve it as soon as possible.

Regards.

Reply #2March 18, 2015, 09:51:31 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #2 on: March 18, 2015, 09:51:31 PM »
Thanks for the Welcome!  8)

Thanks for getting back to me, I figured as much just thought I would share it just in case the info was needed or further testing was required. Look forward to a fix.

In the meantime, is there a work around?
Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #3March 18, 2015, 10:44:44 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #3 on: March 18, 2015, 10:44:44 PM »
Hi firefoxthebomb,

You are very welcome. :)
Your contribution to RogueKiller is appreciated.

Regarding the bug, there is unfortunately no workaround available at the moment, except to realize the scan in Safe mode.
I will keep you informed of developments about this particular issue.

Regards.

Reply #4March 19, 2015, 04:32:31 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #4 on: March 19, 2015, 04:32:31 PM »
Thanks for the additional update, I will try in safe mode, Windows 8 is a little trickier to get to safe mode....

Anyway look forward to an update and fix.  Thanks
Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #5March 19, 2015, 10:30:11 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #5 on: March 19, 2015, 10:30:11 PM »
Hi firefoxthebomb,

You are welcome.
This guide might help you to reboot into Safe mode : How To Boot Into Safe Mode On Windows 8 or 8.1 (The Easy Way).

Regards.

Reply #6March 23, 2015, 01:36:14 AM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #6 on: March 23, 2015, 01:36:14 AM »
Thanks for that info, also I noticed there was a new update v10.5.7... This version works now, as it does not get stuck, however I still get an error or process terminated for Symantec Endpoint Protection... See image.

When I ran the scan it got stuck at 3% and now says not responding... let it sit for a while and it came back, will let you know if it completes...

« Last Edit: March 23, 2015, 01:39:59 AM by firefoxthebomb »
Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #7March 23, 2015, 02:01:53 AM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #7 on: March 23, 2015, 02:01:53 AM »
Well the scan did go up to 4% and then locked up once again, then would not move from there. I ended the task in task manager and then re-launched rouguekiller. This time it completed the prescan and also was able to complete the scan I ran.  The report is below if that helps with the fixing of the issue...

RogueKiller V10.5.7.0 (x64) [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Firefox [Administrator]
Started from : C:\temp\RogueKillerX64 V10.5.7.exe
Mode : Scan -- Date : 03/22/2015  19:54:54

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) IDSVia64 -- \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys[7] -> ERROR [41c]

¤¤¤ Registry : 16 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 27 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\drivers\symefasi\0500010.01F\symefasi.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\drivers\symefasi\0500010.01F\symefasi.sys)
[IAT:Addr(Hook.IEAT)] (iexplore.exe) msvcrt.dll - memcpy : C:\Program Files (x86)\Stardock\ObjectDockPlus2\Dock64.dll @ 0x2eb8030
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileA :  @ 0x0 ()

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] ljcy9al9.default : user_pref("browser.startup.homepage", "https://forums.malwarebytes.org/|http://www.bleepingcomputer.com/forums/|http://www.systemlookup.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103UJ ATA Device +++++
--- User ---
[MBR] 074b342e6503d998a5f55dd94a2f3549
[BSP] 3cfc57663abb2195f66e045b394cdbf0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 976762880 | Size: 476933 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG HD103UJ ATA Device +++++
--- User ---
[MBR] a3e94eac8201feabc51ff6a00d3a1123
[BSP] e3b27120b8c9e7a10f8d5b6df0d6a6da : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TEAC USB   HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: TEAC USB   HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: TEAC USB   HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: TEAC USB   HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: KANGURU SS3 USB Device +++++
--- User ---
[MBR] 39d4b669dd54e10382bd49dd16a68f0a
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 60300 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_03222015_194500.log

Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #8March 23, 2015, 03:23:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #8 on: March 23, 2015, 03:23:31 PM »
Hi firefoxthebomb,

Thanks for the heads-up.
There indeed remains a problem with Symantec Endpoint Protection. It is currently under investigations.

Regards.

Reply #9March 23, 2015, 03:25:46 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #9 on: March 23, 2015, 03:25:46 PM »
Thanks for the continued info, hope you guys nail it down, as I have that setup on many computers.

Look forward to the fix.
Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #10March 23, 2015, 03:40:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #10 on: March 23, 2015, 03:40:47 PM »
Hi firefoxthebomb,

You are very welcome.
I will keep you informed in this thread about the evolution of the issue.

Regards.

Reply #11March 30, 2015, 06:14:50 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #11 on: March 30, 2015, 06:14:50 PM »
Curson just an FYI... I downloaded version 10.5.8x64 and tried this version to see if I still got the same errors.  I was able to complete a Pre-scan with no detections about Symantec Endpoint Protection, I did however get a false positive with Malwarebytes Secure backup. See log below:

RogueKiller V10.5.8.0 (x64) [Mar 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : owner [Administrator]
Started from : L:\Flash Drives\128GB Flash Drive Backup\Tech CD\Utils\Ad Aware\Bleeping Computer Stuff\RogueKiller by tigzy\RogueKillerX64 V10.5.8.exe
Mode : Scan -- Date : 03/30/2015  11:10:32

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] mbsbscan.exe(9528) -- C:\Program Files (x86)\Malwarebytes Secure Backup\mbsbscan.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 9 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 36 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 52 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW :  @ 0x0 ()

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] hcdjlx88.default : user_pref("browser.startup.homepage", "http://www.bleepingcomputer.com/forums/|https://forums.malwarebytes.org/|http://www.systemlookup.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] 9a58401060fd78b7ced0042be99fe3e8
[BSP] a4478fcfe5b4c86f09d53598ed58a5e2 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 750 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1617920 | Size: 367112 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 753463296 | Size: 1539826 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] d4ecfbd1a1d3c4917af6d6d28c8c95d7
[BSP] 6f5fe8da57fa68252ca31cc6e5d209fd : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: Kanguru SS3 USB Device +++++
--- User ---
[MBR] 94f9443d96441ecfcdafb5853a2e8a7e
[BSP] 39eaafe8c7c2f2a60c9df4ab5a671e21 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 120348 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Generic- M.S./M.S.Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #12March 31, 2015, 10:01:29 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #12 on: March 31, 2015, 10:01:29 PM »
Hi firefoxthebomb,

I'm really glad to hear that the incompatibilities with Symantec Endpoint Protection are now solved.  :)

Quote
[Tr.Zeus] mbsbscan.exe(9528) -- C:\Program Files (x86)\Malwarebytes Secure Backup\mbsbscan.exe[7] -> Killed [TermProc]
Thanks for bringing this to our attention. This false positive will be fixed in RogueKiller next version.

Regards.

Reply #13April 07, 2015, 10:05:27 PM

firefoxthebomb

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #13 on: April 07, 2015, 10:05:27 PM »
Just tested version 10.5.9.0 (x64) and no problems with Symantec Endpoint Protection and also thanks for fixing the false positive with Malwarebytes Secure backup, it is no longer detected.

Great Work!
Dell Precision T5600, Win7 Ultimate 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620 CPU, Dual Six Core Process

Reply #14April 07, 2015, 11:22:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RogueKiller stops prescan at 80%
« Reply #14 on: April 07, 2015, 11:22:07 PM »
Hi firefoxthebomb,

You are very welcome.
Thanks for the feedback.

Regards.