Purrington 0 Posted October 4, 2015 Report Share Posted October 4, 2015 Using Emsisoft I repeated get the same infection and seemingly no matter how many times I send it to "Quarantine" it rears its ugly head within a couple of days or so. Here is what today's report said: Emsisoft Emergency Kit - Version 10.0 Last update: 10/2/2015 7:34:30 AM User account: Lewis-PC\Lewis Scan settings: Scan type: Malware Scan Objects: Rootkits, Memory, Traces, Files Detect PUPs: On Scan archives: Off ADS Scan: On File extension filter: Off Advanced caching: On Direct disk access: Off Scan start: 10/4/2015 11:15:50 AM Value: HKEY_USERS\S-1-5-21-1422163307-3788927115-2030255185-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A) Scanned 73742 Found 1 Scan end: 10/4/2015 11:21:09 AM Scan time: 0:05:19 Value: HKEY_USERS\S-1-5-21-1422163307-3788927115-2030255185-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A) Quarantined 1 Correspondingly whenever I run Rogue Killer I continually show the same infections which as with Emsisoft recur repeatedly despite being sent to quarantine.Here is today's Rogue Killer Report: RogueKiller V10.10.7.0 [sep 28 2015] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/software/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Lewis [Administrator] Started from : C:\Users\Lewis\Downloads\RogueKiller.exe Mode : Delete -- Date : 10/04/2015 12:43:00 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 4 ¤¤¤ [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)]) -> Replaced () [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)]) -> Replaced () [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DB07389-E2D8-435C-8610-A2B4A482E18C} | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)]) -> Replaced () [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2DB07389-E2D8-435C-8610-A2B4A482E18C} | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)]) -> Replaced () ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ST9500325AS +++++ --- User --- [MBR] afd3e18634a03cfc5f5cd4c7c7c1540f [bSP] 2ec32c4dafc030881e2a9675b975a583 : Windows Vista/7/8 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 15000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK How may I resolve this issue? Thank you Link to post Share on other sites
Kevin Zoll 309 Posted October 5, 2015 Report Share Posted October 5, 2015 Purrington, The items showing in your RogueKiller log are not malicious. The IP address 10.0.0.1 is your internal network DNS. There are many tools that set the Disable Registry Tools value in the Windows Registry. It is used to control access to the Windows Registry Editor. By default it is not present on Windows. If you can still use the Registry Editor, you can white list the detection. Link to post Share on other sites
Purrington 0 Posted October 6, 2015 Author Report Share Posted October 6, 2015 Kevin: I appreciate your prompt and professional response. Allow me to apologize in advance but I do not know what "white list the detection" means. Could you kindly tell me in layman's terms what this means and the steps I should take in performing this action? Thank you. Link to post Share on other sites
Elise 276 Posted October 8, 2015 Report Share Posted October 8, 2015 Hello, Since Kevin is away I'll work with you in this topic until he gets back. To whitelist a detected object once the scan finishes right click on the object and select Add to Whitelist. This will ensure that the object will no longer be detected. To manage the whitelist, you can also click the Scan menu and click the Manage Whitelist button (if you want to do this after having run a scan, you first need to click the New Scan button to return to the scan selection screen). Link to post Share on other sites
Purrington 0 Posted October 8, 2015 Author Report Share Posted October 8, 2015 Thank you Elise Link to post Share on other sites
Elise 276 Posted October 8, 2015 Report Share Posted October 8, 2015 Do you have any other problem or question? If not, this topic will be closed. Link to post Share on other sites
Kevin Zoll 309 Posted October 12, 2015 Report Share Posted October 12, 2015 Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts