TechSpot

RogueKiller findings

By changed
Mar 3, 2014
  1. Is there anything to be worried about in this RogueKiller log?

    RogueKiller V8.8.10 _x64_ [Feb 28 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Machine [Admin rights]
    Mode : Scan -- Date : 03/03/2014 11:23:21
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 11 ¤¤¤
    [HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) OCZ-VERTEX450 ATA Device +++++
    --- User ---
    [MBR] 36ec26bed67e782e6897316c5770d1bf
    [BSP] 2e58157ac89ddfe257479115d7721ac5 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 122102 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) Samsung SSD 840 EVO 120GB ATA Device +++++
    --- User ---
    [MBR] 389ca5341f22998a0b388f03d8d87e21
    [BSP] c9ad68cc04d9f6c44395c84d03f70746 : MBR Code unknown
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114370 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) SSD2SC120GC2DH08T-T ATA Device +++++
    --- User ---
    [MBR] 9c47f011041859b10ffc31d9c5e329e5
    [BSP] 2684be1d9cca4c6aaa9f6c66136e8f4c : MBR Code unknown
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) Innostor Ext. HDD USB Device +++++
    --- User ---
    [MBR] 47fede4159459e5c875bf85c0fa5b45e
    [BSP] b37d3878718469e348115e14096bcb33 : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR! ([0x32] The request is not supported. )

    +++++ PhysicalDrive4: (\\.\PHYSICALDRIVE4 @ USB) Innostor Ext. HDD USB Device +++++
    --- User ---
    [MBR] 209db8755b9c282a81705d0344e845ac
    [BSP] 8af94ea496f6ec2fb24fb19b78052907 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR! ([0x32] The request is not supported. )

    Finished : << RKreport[0]_S_03032014_112321.txt >>
     
  2. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    No. They're just some custom settings.
    Any computer issues?
     
  3. changed

    changed TS Rookie Topic Starter Posts: 27

    Nope no computer issues but in my Comodo defense+ log it keeps repeatedly blocking 3 things.

    I trimmed down the log because it just repeats over and over again.

    COMODO Internet Security Premium Logs
    Table
    :
    Defense+ Events
    Date Created
    :
    2014-03-03 19:02:06
    Records count
    :
    798

    Date/Application/Action/Target
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_32
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
    2014-03-03 18:58:15 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_64
    2014-03-03 18:57:21 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
    2014-03-03 18:57:21 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_64
    2014-03-03 18:57:10 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify Key HKLM\SOFTWARE\Wow6432Node\ComodoGroup\Dragon\EnableMessageCenter
    2014-03-03 18:57:10 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify File C:\Windows\TEMP\ComodoLogsFolder\dragon_updater.exe.log
    2014-03-03 18:55:37 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
    2014-03-03 18:55:37 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
    2014-03-03 18:55:23 C:\Windows\System32\taskhost.exe Modify Key HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment
    2014-03-03 18:55:23 C:\Windows\System32\taskhost.exe Modify Key HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment
    2014-03-03 18:55:23 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    2014-03-03 18:55:18 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify File C:\Windows\temp\ComodoLogsFolder\dragon_updater.exe.log
    2014-03-03 18:55:18 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify Key HKUS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    2014-03-03 18:55:18 C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Modify File C:\Windows\temp\ComodoLogsFolder\dragon_updater.exe.log
     
  4. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    What those 3 things would be?
    I'm not sure what I'm looking for.
     
  5. changed

    changed TS Rookie Topic Starter Posts: 27

    It keeps blocking
    mscorsvw.exe which tries to modify the files:
    ngenrootstorelock.dat
    ngenofflinequeuelock.dat

    and it tries to modify the key: HKLM\SYSTEM\ControlSet???\Services\clr_optimization_v4.0.30319_32
     
    Last edited: Mar 3, 2014
  6. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    Those look like legit files.
    I think your better option would be to inquire at Comodo forum.
    Let me know what they say.
     
  7. changed

    changed TS Rookie Topic Starter Posts: 27

    Will do. Thank you so much for your help. I also wanted to know if I should worry about these entries in autoruns that are highlighted in yellow:

    "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms" "" "" "" "2/21/2014 10:35 PM"
    + "rdpclip" "" "" "File not found: rdpclip" ""

    "HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" "" "2/21/2014 10:39 PM"
    + "PrivDog" "" "" "File not found: C:\Program Files\AdTrustMedia\PrivDog\1.8.0.18\trustedads.dll" ""

    "HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" "" "" "" "2/21/2014 10:39 PM"
    + "PrivDog" "" "" "File not found: C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.18\trustedads.dll" ""


    HKLM\System\CurrentControlSet\Services 3/3/2014 2:06 PM

    + "catchme" "" "" "File not found: C:\your_name\catchme.sys" ""
    + "cpuz136" "" "" "File not found: C:\Users\Machine\AppData\Local\Temp\cpuz136\cpuz136_x64.sys" ""
    + "WinRing0_1_2_0" "" "" "File not found: G:\Internet Downloads\openhardwaremonitor-v0.6.0-beta\OpenHardwareMonitor\OpenHardwareMonitor.sys" ""



    Anything that I should be worried about?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    All of those are "File not found" so just make sure all those entries are unchecked.
     
  9. changed

    changed TS Rookie Topic Starter Posts: 27

    Thank you. I appreciate your help. You're awesome Broni. I'll be donating to you shortly.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    You're very welcome [​IMG]

    ...and thank you :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...