RogueKiller findings

Solved
By changed
Mar 3, 2014
  1. Is there anything to be worried about in this RogueKiller log?

    RogueKiller V8.8.10 _x64_ [Feb 28 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Machine [Admin rights]
    Mode : Scan -- Date : 03/03/2014 11:23:21
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 11 ¤¤¤
    [HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) OCZ-VERTEX450 ATA Device +++++
    --- User ---
    [MBR] 36ec26bed67e782e6897316c5770d1bf
    [BSP] 2e58157ac89ddfe257479115d7721ac5 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 122102 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) Samsung SSD 840 EVO 120GB ATA Device +++++
    --- User ---
    [MBR] 389ca5341f22998a0b388f03d8d87e21
    [BSP] c9ad68cc04d9f6c44395c84d03f70746 : MBR Code unknown
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114370 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) SSD2SC120GC2DH08T-T ATA Device +++++
    --- User ---
    [MBR] 9c47f011041859b10ffc31d9c5e329e5
    [BSP] 2684be1d9cca4c6aaa9f6c66136e8f4c : MBR Code unknown
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) Innostor Ext. HDD USB Device +++++
    --- User ---
    [MBR] 47fede4159459e5c875bf85c0fa5b45e
    [BSP] b37d3878718469e348115e14096bcb33 : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR! ([0x32] The request is not supported. )

    +++++ PhysicalDrive4: (\\.\PHYSICALDRIVE4 @ USB) Innostor Ext. HDD USB Device +++++
    --- User ---
    [MBR] 209db8755b9c282a81705d0344e845ac
    [BSP] 8af94ea496f6ec2fb24fb19b78052907 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR! ([0x32] The request is not supported. )

    Finished : << RKreport[0]_S_03032014_112321.txt >>
  2. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    No. They're just some custom settings.
    Any computer issues?
  3. changed

    changed Newcomer, in training Topic Starter Posts: 20

    Nope no computer issues but in my Comodo defense+ log it keeps repeatedly blocking 3 things.

    I trimmed down the log because it just repeats over and over again.

    COMODO Internet Security Premium Logs
    Table
    :
    Defense+ Events
    Date Created
    :
    2014-03-03 19:02:06
    Records count
    :
    798

    Date/Application/Action/Target
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_32
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_64
    2014-03-03 18:57:21 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
    2014-03-03 18:57:21 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_64
    2014-03-03 18:57:10 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify Key HKLM\SOFTWARE\Wow6432Node\ComodoGroup\Dragon\EnableMessageCenter
    2014-03-03 18:57:10 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify File C:\Windows\TEMP\ComodoLogsFolder\dragon_updater.exe.log
    2014-03-03 18:55:37 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
    2014-03-03 18:55:37 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
    2014-03-03 18:55:23 C:\Windows\System32\taskhost.exe Modify Key HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment
    2014-03-03 18:55:23 C:\Windows\System32\taskhost.exe Modify Key HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment
    2014-03-03 18:55:23 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    2014-03-03 18:55:18 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify File C:\Windows\temp\ComodoLogsFolder\dragon_updater.exe.log
    2014-03-03 18:55:18 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify Key HKUS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    2014-03-03 18:55:18 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify File C:\Windows\temp\ComodoLogsFolder\dragon_updater.exe.log
  4. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    What those 3 things would be?
    I'm not sure what I'm looking for.
  5. changed

    changed Newcomer, in training Topic Starter Posts: 20

    It keeps blocking
    mscorsvw.exe which tries to modify the files:
    ngenrootstorelock.dat
    ngenofflinequeuelock.dat

    and it tries to modify the key: HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_32
    Last edited: Mar 3, 2014
  6. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Those look like legit files.
    I think your better option would be to inquire at Comodo forum.
    Let me know what they say.
  7. changed

    changed Newcomer, in training Topic Starter Posts: 20

    Will do. Thank you so much for your help. I also wanted to know if I should worry about these entries in autoruns that are highlighted in yellow:

    "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms" "" "" "" "2/21/2014 10:35 PM"
    + "rdpclip" "" "" "File not found: rdpclip" ""

    "HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" "" "2/21/2014 10:39 PM"
    + "PrivDog" "" "" "File not found: C:\Program Files\AdTrustMedia\PrivDog\1.8.0.18\trustedads.dll" ""

    "HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" "" "" "" "2/21/2014 10:39 PM"
    + "PrivDog" "" "" "File not found: C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.18\trustedads.dll" ""


    HKLM\System\CurrentControlSet\Services 3/3/2014 2:06 PM

    + "catchme" "" "" "File not found: C:\your_name\catchme.sys" ""
    + "cpuz136" "" "" "File not found: C:\Users\Machine\AppData\Local\Temp\cpuz136\cpuz136_x64.sys" ""
    + "WinRing0_1_2_0" "" "" "File not found: G:\Internet Downloads\openhardwaremonitor-v0.6.0-beta\OpenHardwareMonitor\OpenHardwareMonitor.sys" ""



    Anything that I should be worried about?
  8. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    All of those are "File not found" so just make sure all those entries are unchecked.
  9. changed

    changed Newcomer, in training Topic Starter Posts: 20

    Thank you. I appreciate your help. You're awesome Broni. I'll be donating to you shortly.
  10. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    You're very welcome [​IMG]

    ...and thank you :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.