Solved

Roguekiller has no option of deleting

Posted on 2016-11-18
19
43 Views
Last Modified: 2016-11-21
I ran a Roguekiller scan and it detected some threat but I have no option of deleting it, even I select the list it still says not selected. see attached
Roguekiller.JPG
0
Comment
Question by:Abraham Deutsch
  • 5
  • 5
  • 5
  • +2
19 Comments
 
LVL 4

Expert Comment

by:Raghav
ID: 41892913
Hi,

You might find something useful in below links -

http://www.bleepingcomputer.com/forums/t/554514/pumdns-found-on-rogue-killer-help-please/

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

You also might want to disable / uninstall software form Solvusoft to see it this fixes your issue.

Good luck with that.

--Raghav.
0
 
LVL 61

Expert Comment

by:btan
ID: 41892947
Do see this FAQ shared
Q – RogueKiller antirootkit found items, but I can’t check them for deletion. Why?
A – Antirootkit is for diagnostic only. It shows hooks made in the system, and potentially suspicious. Hooks are a consequence, and never a cause of malicious activity. So it wouldn’t make any sense to remove them, hence why they are not proposed for removal.
http://www.adlice.com/documentation/roguekiller/faq/
0
 
LVL 1

Author Comment

by:Abraham Deutsch
ID: 41893005
"RogueKiller antirootkit" Would you give me a little more explanation what antirootkit means, is it that I don't have the full version? (It's RogueKiller premium)
0
 
LVL 61

Expert Comment

by:btan
ID: 41893058
anti-rootkit is in all version @ http://www.adlice.com/download/roguekiller/
come to think of it and evident from the image, PUP is not really a hooks as depicted under AK scan. See this AK findings
https://forum.adlice.com/index.php?topic=195.msg733#msg733
I saw the issue is due to product issue to be patched instead. Probably has to get latest version and reinstall
https://forum.adlice.com/index.php?topic=323.msg1399#msg1399
Alternatively, can try the RogueKillerCMD but it is paid version based on the version table.
0
 
LVL 91

Expert Comment

by:nobus
ID: 41893994
i suppose you ran other AV and malware scans?
if not run these too : http://www.malwarebytes.org/mbam.php                         MBAM
http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/        JRT
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
ID: 41894013
To add you can try removal using this
AdwCleaner is a program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer.  
http://www.bleepingcomputer.com/download/adwcleaner/
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 41894414
What Roguekiller has found is one suspicious Chrome addon and four registry entries.

The Chrome addon can be uninstalled by the user.  That's no big problem.

The first registry entry points to Solvusoft software.  If Solvusoft software is installed on this computer then it can be uninstalled.  That may get rid of that entry but I don't consider it important.

The other three ARE important but I can't see enough of them to see the full contents.
0
 
LVL 1

Author Comment

by:Abraham Deutsch
ID: 41894552
Is it what you are saying that roguekiller will only take action on what is marked red, and giving no choice to kill PUP etc? so what is this check box near each line? (Selecting it keeps the status as not selected see image)

See attached I have the latest version of roguekiller

I Have have malwarebytes paid version but is noes not detect anything. on the image you can see the only threat roguekiller marks red is  malwarebytes and it disables it. (I enable it manually after a roguekiller run).

I also attached a report from kaspersky which deleted 12 threat yesterday.  

I know I am under some attack (even with being protected with all of this protections) as mgs was send out from my Skype and unauthorized user tried to access my Microsoft account (I have two factor authentication on so access was blocked) Also my internet browsing is vary slow.
RogueKillerV.JPG
kaspersky.JPG
RoguekillerR.JPG
0
 
LVL 91

Expert Comment

by:nobus
ID: 41894567
in such a case - you best backup your data, and do a fresh install of the OS, after wiping the diskµ
and change your passwords
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 41894603
Roguekiller only take action for those in RED and if it is not among the RED, it means it cannot remove them. That is why we cannot rely on single tool, do consider AdwCleaner and Malwarebytes Anti-malware as suggested by experts.

However, from the alert of Zeus infection, that may be a false positive as RK has a conflict in signature
It was indeed a signature conflict, because for Zeus we have the same signature as MBAM (seen with a dump of mbamservice.exe). As the database is loaded in memory, it will be detected as malicious by RK.
We just whitelisted the mbamservice process.
https://forum.adlice.com/index.php?topic=300.0

But from the other scan, it may be the machine is already compromised and I strongly suggest that the machine be rebuild from clean state instead of cleaning up. The root cause may be have penetrated and resident in other media like infected USB or email attachment or drive by download in compromised website. In short, the recurrence is possible. Agree with nobus on the recovery of data and change of login password (use a strong password )
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 200 total points
ID: 41894947
Roguekiller

If you are happy with the Asana Extension for Chrome then leave it alone.  Otherwise uninstall it.

Rogueklller seems unhappy with your path to your Quickbooks.  If Quickbooks works OK for you leave it alone.  You probably don't want it deleted anyway.

Roguekiller does not like Solvusoft software and regards it as bad.  If you have Solvusoft software on then consider deleting it.  Comments about Solvusoft software range from positive to bad.  There are indications that it may/might contain trojans or malware.  Or not.

Now for the entries in gray - the ones flagged PUM.Dns
These are registry paths that seem to be legitimate.  But the data may not be legitimate.  That is the 10.0.0.1 ([ ])

Roguekiller will not delete those because they may be legitimate.  See http://www.adlice.com/remove-pum/ for more information.

Now it is quite probable that your ISP provider has supplied you with a modem that has the address in it of 10.0.0.1.  If so then the registry paths are probably quite legitimate.  I can't tell.
0
 
LVL 1

Author Comment

by:Abraham Deutsch
ID: 41894966
Doing a fresh install in my case is not so simple since I have lot of tools which I collected over the years I will definitely lose some, and with others I will have license issues since I did not save each and every license.

Also I have few NAS drives and external drives attached worms my be sitting there and come back after the fresh install. It may be in a Microsoft doc from where I see someone has\tried to have (Already change password) and will come back as soon I sing in and the folders sync.

I believe the virus can be removed but it's time consuming a fresh install and putting back this workstation as it's now will also be time consuming (this is not your typical PC) I would rather spend the time and gain experience.


As said earlier I already ren malwarebytes and it did not detect and threat [based on my current experience I would say this is the least effective over others]


I ren AdwCleaner it removed some stuff see attached.


I removed Asana


Solvusoft seems to have being removed by AdwCleaner since I don’t see it anymore in add remove programs list.


I see kaspersky did not find anything at its lest scan.


Now I ren AdwCleaner it show no threats, It may be a good idea to run a scan before windows boot so if the virus is in the kernel layer or in the boot part on the operating system it should remove it. Any recommendation on such tool. Please advice
It may be
AdwCleaner-C0-.txt
0
 
LVL 91

Expert Comment

by:nobus
ID: 41894990
nobody wants to do a fresh install
but in your case - i would not think about another solution, since it was compromised already - as you said.
Do you want that that continues? if the answer is no - do a fresh install i say
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 200 total points
ID: 41894992
Adwcleaner didn't like the Asana extension either so it got rid of it.



Try the following:

TDSS Killer  http://www.bleepingcomputer.com/download/tdsskiller/  (this checks for root viruses)

If you are running Windows 8 or less (not 8.1 or 10) then also try Combofix  http://www.bleepingcomputer.com/download/combofix/

If you do run Combofix it may take a very long time.
0
 
LVL 61

Expert Comment

by:btan
ID: 41895160
Clean install and recover data from backup as well as reinsrall your toolkit is best approach. Since you already suspect there may be recurrence, that best approach is recommended. Regardless, you can still continue as is and has to be extra careful using the machine.

 If possible, do not connect this machine to Internet. You may consider using sandboxie to sandbox your browser for any browsing. Disconnect mapped drive rather than auto mapping them for the time being.
0
 
LVL 1

Author Closing Comment

by:Abraham Deutsch
ID: 41896351
I tracked back and found the virus was only one day in my computer so after cleaning with kaspersky and AdwCleaner I feel comfortable that my computer is clean.

From my experience I would not recommend malwarebytes, since it did not detect in real time (paid version) as wall after ruing a scan. same is with Roguekiller it detection is poor and capability of removing even less.
I am surprised kaspersky did not detect it as it got infected, but after a scan it did remove stuff.
About AdwCleaner I am amazed how quick it runs it power of detecting and removal.

PS I recommend to disable auto play in windows, so the removable drive will not open before the scan on the drive is not completed.  

Thank you all for your help.
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 41896376
MalwareBytes is best when you have an infection and want to clean up and not as a real time anti-virus product.

Good for running over your system once a month as a check.
0
 
LVL 1

Author Comment

by:Abraham Deutsch
ID: 41896384
Three proprietary technologies—signature, heuristics, and behavior—automatically guard you and your online experience from malware that antivirus products don't find. Real-time protection detects and shields against the most dangerous forms of malware.

Breathe easy. Automatic scanning does the work for you, so you never have to worry about getting infected. Your computer and all its data stays safe.

https://www.malwarebytes.com/antimalware/
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 41896431
Three proprietary technologies ...

etc etc

... and all its data stays safe.

Advertising.  Like a toothpaste advert or a party political advert.  They could also use "Trust us.  We know what we're doing."
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now