Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Killer deleted Mcafee Anti-Rootkit registry keys?


  • Please log in to reply
No replies to this topic

#1 squid917

squid917

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 14 August 2014 - 03:20 PM

So I didn't know at the time on how critical I should be with false positives (Only used Mcafee for a while).  I ran Rogue Killer for the first time and it detected some leftover registry trace keys like disable icon or task manager.  But, that malware is long gone and were just traces.  But, it found 3 suspicious.paths.  All of these are part of Macafee Anti-Rootkit and I know that for a fact.  I never tested if the application worked after that because I didn't no if it was Mcafee.  Well I deleted the exe and downloaded the same one and it worked great.  So I ran a scan with rogue killer again and it came up with only 2 of the suspicious paths this time.  The logs are below.  1.= 3 suspicious.paths 2.= 2 suspicious.paths.  I want to know if I have hurt the computer in any way.  I can't really figure out how the recovery system works with Rogue Killer.  It also doesn't like Mcafee process either.  Thanks for the help!

 

1.

 

 RogueKiller V9.2.2.0 [Jul 11 2014] by Adlice Software

 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dane [Admin rights]
Mode : Remove -- Date : 07/13/2014  12:20:16
 
¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess] mcshield.exe -- [x] -> ERROR [12]
 
¤¤¤ Registry Entries : 15 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MFE_RR -> DELETED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR -> DELETED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MFE_RR -> DELETED
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> DELETED
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> DELETED
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> ERROR [2]
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> ERROR [2]
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> DELETED
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> DELETED
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> ERROR [2]
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> ERROR [2]
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Scan -ScheduleJob -RestrictPrivileges) -> NOT SELECTED
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST2000DM ST2000DM001-1CH1 SCSI Disk Device +++++
--- User ---
[MBR] 26fe1b92c2d0df7531b83c9195dfdcc0
[BSP] 03eda3b191995d7be93428c9234050ba : Unknown MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
Error reading LL2 MBR! ([18] The program issued a command but the command length is incorrect. )
 
 
============================================
RKreport_SCN_07132014_121725.log                                       2.

 

RogueKiller V9.2.2.0 [Jul 11 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dane [Admin rights]
Mode : Remove -- Date : 08/14/2014  12:15:08
 
¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess] mcshield.exe -- [x] -> ERROR [12]
 
¤¤¤ Registry Entries : 10 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MFE_RR -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3296861245-906978654-1349800872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Scan -ScheduleJob -RestrictPrivileges) -> NOT SELECTED
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST2000DM ST2000DM001-1CH1 SCSI Disk Device +++++
--- User ---
[MBR] 26fe1b92c2d0df7531b83c9195dfdcc0
[BSP] 03eda3b191995d7be93428c9234050ba : Unknown MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
Error reading LL2 MBR! ([18] The program issued a command but the command length is incorrect. )
 
 
============================================
RKreport_DEL_07132014_122016.log - RKreport_SCN_07132014_121725.log - RKreport_SCN_07132014_124021.log - RKreport_SCN_07132014_124843.log
RKreport_SCN_07132014_125209.log - RKreport_SCN_08142014_121306.log

 



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users