Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Roguekiller has no option of deleting

Posted on 2016-11-18
19
Medium Priority
?
289 Views
Last Modified: 2016-11-21
I ran a Roguekiller scan and it detected some threat but I have no option of deleting it, even I select the list it still says not selected. see attached
Roguekiller.JPG
0
Comment
Question by:Abraham Deutsch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 5
  • +2
19 Comments
 
LVL 7

Expert Comment

by:Raghav
ID: 41892913
Hi,

You might find something useful in below links -

http://www.bleepingcomputer.com/forums/t/554514/pumdns-found-on-rogue-killer-help-please/

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

You also might want to disable / uninstall software form Solvusoft to see it this fixes your issue.

Good luck with that.

--Raghav.
0
 
LVL 65

Expert Comment

by:btan
ID: 41892947
Do see this FAQ shared
Q – RogueKiller antirootkit found items, but I can’t check them for deletion. Why?
A – Antirootkit is for diagnostic only. It shows hooks made in the system, and potentially suspicious. Hooks are a consequence, and never a cause of malicious activity. So it wouldn’t make any sense to remove them, hence why they are not proposed for removal.
http://www.adlice.com/documentation/roguekiller/faq/
0
 
LVL 3

Author Comment

by:Abraham Deutsch
ID: 41893005
"RogueKiller antirootkit" Would you give me a little more explanation what antirootkit means, is it that I don't have the full version? (It's RogueKiller premium)
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 65

Expert Comment

by:btan
ID: 41893058
anti-rootkit is in all version @ http://www.adlice.com/download/roguekiller/
come to think of it and evident from the image, PUP is not really a hooks as depicted under AK scan. See this AK findings
https://forum.adlice.com/index.php?topic=195.msg733#msg733
I saw the issue is due to product issue to be patched instead. Probably has to get latest version and reinstall
https://forum.adlice.com/index.php?topic=323.msg1399#msg1399
Alternatively, can try the RogueKillerCMD but it is paid version based on the version table.
0
 
LVL 93

Expert Comment

by:nobus
ID: 41893994
i suppose you ran other AV and malware scans?
if not run these too : http://www.malwarebytes.org/mbam.php                         MBAM
http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/        JRT
0
 
LVL 65

Accepted Solution

by:
btan earned 1200 total points
ID: 41894013
To add you can try removal using this
AdwCleaner is a program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer.  
http://www.bleepingcomputer.com/download/adwcleaner/
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 41894414
What Roguekiller has found is one suspicious Chrome addon and four registry entries.

The Chrome addon can be uninstalled by the user.  That's no big problem.

The first registry entry points to Solvusoft software.  If Solvusoft software is installed on this computer then it can be uninstalled.  That may get rid of that entry but I don't consider it important.

The other three ARE important but I can't see enough of them to see the full contents.
0
 
LVL 3

Author Comment

by:Abraham Deutsch
ID: 41894552
Is it what you are saying that roguekiller will only take action on what is marked red, and giving no choice to kill PUP etc? so what is this check box near each line? (Selecting it keeps the status as not selected see image)

See attached I have the latest version of roguekiller

I Have have malwarebytes paid version but is noes not detect anything. on the image you can see the only threat roguekiller marks red is  malwarebytes and it disables it. (I enable it manually after a roguekiller run).

I also attached a report from kaspersky which deleted 12 threat yesterday.  

I know I am under some attack (even with being protected with all of this protections) as mgs was send out from my Skype and unauthorized user tried to access my Microsoft account (I have two factor authentication on so access was blocked) Also my internet browsing is vary slow.
RogueKillerV.JPG
kaspersky.JPG
RoguekillerR.JPG
0
 
LVL 93

Expert Comment

by:nobus
ID: 41894567
in such a case - you best backup your data, and do a fresh install of the OS, after wiping the diskµ
and change your passwords
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1200 total points
ID: 41894603
Roguekiller only take action for those in RED and if it is not among the RED, it means it cannot remove them. That is why we cannot rely on single tool, do consider AdwCleaner and Malwarebytes Anti-malware as suggested by experts.

However, from the alert of Zeus infection, that may be a false positive as RK has a conflict in signature
It was indeed a signature conflict, because for Zeus we have the same signature as MBAM (seen with a dump of mbamservice.exe). As the database is loaded in memory, it will be detected as malicious by RK.
We just whitelisted the mbamservice process.
https://forum.adlice.com/index.php?topic=300.0

But from the other scan, it may be the machine is already compromised and I strongly suggest that the machine be rebuild from clean state instead of cleaning up. The root cause may be have penetrated and resident in other media like infected USB or email attachment or drive by download in compromised website. In short, the recurrence is possible. Agree with nobus on the recovery of data and change of login password (use a strong password )
0
 
LVL 49

Assisted Solution

by:dbrunton
dbrunton earned 800 total points
ID: 41894947
Roguekiller

If you are happy with the Asana Extension for Chrome then leave it alone.  Otherwise uninstall it.

Rogueklller seems unhappy with your path to your Quickbooks.  If Quickbooks works OK for you leave it alone.  You probably don't want it deleted anyway.

Roguekiller does not like Solvusoft software and regards it as bad.  If you have Solvusoft software on then consider deleting it.  Comments about Solvusoft software range from positive to bad.  There are indications that it may/might contain trojans or malware.  Or not.

Now for the entries in gray - the ones flagged PUM.Dns
These are registry paths that seem to be legitimate.  But the data may not be legitimate.  That is the 10.0.0.1 ([ ])

Roguekiller will not delete those because they may be legitimate.  See http://www.adlice.com/remove-pum/ for more information.

Now it is quite probable that your ISP provider has supplied you with a modem that has the address in it of 10.0.0.1.  If so then the registry paths are probably quite legitimate.  I can't tell.
0
 
LVL 3

Author Comment

by:Abraham Deutsch
ID: 41894966
Doing a fresh install in my case is not so simple since I have lot of tools which I collected over the years I will definitely lose some, and with others I will have license issues since I did not save each and every license.

Also I have few NAS drives and external drives attached worms my be sitting there and come back after the fresh install. It may be in a Microsoft doc from where I see someone has\tried to have (Already change password) and will come back as soon I sing in and the folders sync.

I believe the virus can be removed but it's time consuming a fresh install and putting back this workstation as it's now will also be time consuming (this is not your typical PC) I would rather spend the time and gain experience.


As said earlier I already ren malwarebytes and it did not detect and threat [based on my current experience I would say this is the least effective over others]


I ren AdwCleaner it removed some stuff see attached.


I removed Asana


Solvusoft seems to have being removed by AdwCleaner since I don’t see it anymore in add remove programs list.


I see kaspersky did not find anything at its lest scan.


Now I ren AdwCleaner it show no threats, It may be a good idea to run a scan before windows boot so if the virus is in the kernel layer or in the boot part on the operating system it should remove it. Any recommendation on such tool. Please advice
It may be
AdwCleaner-C0-.txt
0
 
LVL 93

Expert Comment

by:nobus
ID: 41894990
nobody wants to do a fresh install
but in your case - i would not think about another solution, since it was compromised already - as you said.
Do you want that that continues? if the answer is no - do a fresh install i say
0
 
LVL 49

Assisted Solution

by:dbrunton
dbrunton earned 800 total points
ID: 41894992
Adwcleaner didn't like the Asana extension either so it got rid of it.



Try the following:

TDSS Killer  http://www.bleepingcomputer.com/download/tdsskiller/  (this checks for root viruses)

If you are running Windows 8 or less (not 8.1 or 10) then also try Combofix  http://www.bleepingcomputer.com/download/combofix/

If you do run Combofix it may take a very long time.
0
 
LVL 65

Expert Comment

by:btan
ID: 41895160
Clean install and recover data from backup as well as reinsrall your toolkit is best approach. Since you already suspect there may be recurrence, that best approach is recommended. Regardless, you can still continue as is and has to be extra careful using the machine.

 If possible, do not connect this machine to Internet. You may consider using sandboxie to sandbox your browser for any browsing. Disconnect mapped drive rather than auto mapping them for the time being.
0
 
LVL 3

Author Closing Comment

by:Abraham Deutsch
ID: 41896351
I tracked back and found the virus was only one day in my computer so after cleaning with kaspersky and AdwCleaner I feel comfortable that my computer is clean.

From my experience I would not recommend malwarebytes, since it did not detect in real time (paid version) as wall after ruing a scan. same is with Roguekiller it detection is poor and capability of removing even less.
I am surprised kaspersky did not detect it as it got infected, but after a scan it did remove stuff.
About AdwCleaner I am amazed how quick it runs it power of detecting and removal.

PS I recommend to disable auto play in windows, so the removable drive will not open before the scan on the drive is not completed.  

Thank you all for your help.
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 41896376
MalwareBytes is best when you have an infection and want to clean up and not as a real time anti-virus product.

Good for running over your system once a month as a check.
0
 
LVL 3

Author Comment

by:Abraham Deutsch
ID: 41896384
Three proprietary technologies—signature, heuristics, and behavior—automatically guard you and your online experience from malware that antivirus products don't find. Real-time protection detects and shields against the most dangerous forms of malware.

Breathe easy. Automatic scanning does the work for you, so you never have to worry about getting infected. Your computer and all its data stays safe.

https://www.malwarebytes.com/antimalware/
0
 
LVL 49

Expert Comment

by:dbrunton
ID: 41896431
Three proprietary technologies ...

etc etc

... and all its data stays safe.

Advertising.  Like a toothpaste advert or a party political advert.  They could also use "Trust us.  We know what we're doing."
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question