1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.

[Solved] Malware Found By RogueKiller

Discussion in 'Malware Removal Help' started by N3, Feb 8, 2018.

  1. N3

    N3 Registered Members

    Joined:
    Dec 26, 2013
    Messages:
    275
    Operating System:
    Windows 7
    Computer Brand or Motherboard:
    Lenovo
    RogueKiller V12.12.3.0 (x64) [Feb 5 2018] (Free) by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : https://forum.adlice.com
    Website : http://www.adlice.com/download/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : N3 [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
    Mode : Scan -- Date : 02/08/2018 06:06:17 (Duration : 00:19:01)

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 12 ¤¤¤
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3450983300-2090305916-611037370-1001\Software\APN PIP -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3450983300-2090305916-611037370-1001\Software\APN PIP -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3450983300-2090305916-611037370-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3450983300-2090305916-611037370-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 23.252.205.6 23.252.205.7 24.238.0.61 8.8.8.8 ([-][United States][United States][-]) -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 23.252.205.6 23.252.205.7 24.238.0.61 8.8.8.8 ([-][United States][United States][-]) -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EABBDE28-E2CE-4D58-8C02-C30ADAF54A04} | DhcpNameServer : 23.252.205.6 23.252.205.7 24.238.0.61 8.8.8.8 ([-][United States][United States][-]) -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{EABBDE28-E2CE-4D58-8C02-C30ADAF54A04} | DhcpNameServer : 23.252.205.6 23.252.205.7 24.238.0.61 8.8.8.8 ([-][United States][United States][-]) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{AD764F2A-94E0-4CD2-BC64-D64661715680}C:\users\n3\appdata\local\skypeplugin\pluginhost.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\n3\appdata\local\skypeplugin\pluginhost.exe|Name=pluginhost.exe|Desc=pluginhost.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A42731A9-5705-41F1-BB33-E8E1EC526965}C:\users\n3\appdata\local\skypeplugin\pluginhost.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\n3\appdata\local\skypeplugin\pluginhost.exe|Name=pluginhost.exe|Desc=pluginhost.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{AD764F2A-94E0-4CD2-BC64-D64661715680}C:\users\n3\appdata\local\skypeplugin\pluginhost.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\n3\appdata\local\skypeplugin\pluginhost.exe|Name=pluginhost.exe|Desc=pluginhost.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A42731A9-5705-41F1-BB33-E8E1EC526965}C:\users\n3\appdata\local\skypeplugin\pluginhost.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\n3\appdata\local\skypeplugin\pluginhost.exe|Name=pluginhost.exe|Desc=pluginhost.exe|Defer=User| [x] -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ WMI : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 1 ¤¤¤
    [PUM.HomePage][Firefox:Config] mk4f98l4.default-1461806273242 : user_pref("browser.startup.homepage", "https://www.startpage.com/"); -> Found

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: Hitachi HDS721010CLA332 ATA Device +++++
    --- User ---
    [MBR] 7635bdab7da2f2248b570be293dd9af4
    [BSP] 2ce8c48d47d016d5789121630c4a1b2f : Windows Vista/7/8|VT.Unknown MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 928093 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    2 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 1900941312 | Size: 25675 MB
    User = LL1 ... OK
    User = LL2 ... OK
     
  2. plodr

    plodr CHF Advisor CHF Advisers

    Joined:
    May 31, 2017
    Messages:
    143
    Operating System:
    Windows 7
    Are you sure you have malware? Looking over the 12 registry items - the only thing it found
    The first 4 items PUP and PUM (potentially unwanted program and potentially unwanted modification)
    deal with a Search bar in Internet Explorer.
    Did you add this? If not then select those 4 items for removel.

    The next 4 items deal with DNS specifically 23.252.205.6 23.252.205.7 24.238.0.61 8.8.8.8
    Is your ISP Hotwire Communication? The first three DNS belong to that. The last one is google.
    If your ISP is not Hotwire Communication, then call your ISP and find out what DNS servers they use.

    The last 4 deal with a Skype plugin and Firewall rules. Do you use Skype?
     
  3. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,259
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    I've moved this thread to the malware removal forum as reports from RogueKiller are not allowed in 'Is My Computer Infected'.

    Please read the rules here: Is my Computer infected or not?.... who can i ask?

    The reason the 'Skype Plugin' entries are listed is because Skype no longer needs plugins installed to make calls.
    The fact that it's in the firewall section means that you're firewall will let it through.
    ControlSet001 is basically the last control that your system booted with.
    Controlset002 is normally known as 'Last Good Known Configuration'.
    It doesn't mean that there's twice as many entries.

    PUM stands for Potentially Unwanted Modification..... all this means is that the entry isn't a default entry.
    But it may have been set by you.... in which case it's legit.
    Only you know if you set the search parameters.

    PUM.Dns ... [Possible DNS Hijack: If IPs aren’t registered in your own country you can fix them.]

    There's nothing to worry about in the report if you set those alterations or use those programs.
     
  4. N3

    N3 Registered Members

    Joined:
    Dec 26, 2013
    Messages:
    275
    Operating System:
    Windows 7
    Computer Brand or Motherboard:
    Lenovo
    Thank you Plodr & starbuck. Admins please consider this problem solved.
     
  5. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,259
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Ok, thanks N3.
     

Share This Page