PDA

View Full Version : Need some help interpreting Registry files to delete after RogueKiller scan/report



buttercream
2013-12-06, 21:44
Hello, I don't think this is too significant but I just don't want to delete the wrong registry files. Just asking for some help interpreting Registry files to delete after a RogueKiller scan/report. Listed in order are my comp info, a screen shot of the report and the report details pasted below. Can I just go ahead and delete these registry files that it marked? I already deleted the battlefield 3 files bc I've never played it on this comp... I've got AVG (latest), I use malware anti malware bytes, windows defender, ccleaner, Revo uninstaller, and Hitman Pro.

OS system summery




Screen shot of report - can I delete these registry files or are they important?

11086




Report Results

RogueKiller V8.7.11 _x64_ [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lake [Admin rights]
Mode : Remove -- Date : 12/06/2013 14:09:44
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP UNIC] {FB84CEED-B488-4DE4-992A-81ECAAB47778} : C:\Program Files (x86)\btlfld3\Battlefield 3?��\bf3.exe [x] -> DELETED
[V2][SUSP UNIC] {FD8EDABF-F770-4D87-ABA0-4949087D4D92} : C:\Program Files (x86)\btlfld3\Battlefield 3?��\bf3.exe [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD7500BPVT-80HXZT3 +++++
--- User ---
[MBR] 36d5f8cf60b4e9f7529d3f2fdf4791b3
2df4e4393ef6efc24351e5bc0934916b : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 25600 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 52430848 | Size: 313006 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 693467136 | Size: 376797 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) VBTM Store 'n' Go USB Device +++++
--- User ---
[MBR] 82109384f09e68f403c3cb72f078bcec
[BSP] f6e5c8791cf3b5cb98fd55304feb305a : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 4 | Size: 242 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_D_12062013_140944.txt >>
RKreport[0]_S_12062013_140903.txt


[B]There were two reports so I just posted this one too But I think the other report is what goes with the screenshot

RogueKiller V8.7.11 _x64_ [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lake [Admin rights]
Mode : Scan -- Date : 12/06/2013 14:09:03
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP UNIC] {FB84CEED-B488-4DE4-992A-81ECAAB47778} : C:\Program Files (x86)\btlfld3\Battlefield 3?��\bf3.exe [x] -> FOUND
[V2][SUSP UNIC] {FD8EDABF-F770-4D87-ABA0-4949087D4D92} : C:\Program Files (x86)\btlfld3\Battlefield 3?��\bf3.exe [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD7500BPVT-80HXZT3 +++++
--- User ---
[MBR] 36d5f8cf60b4e9f7529d3f2fdf4791b3
[BSP] 2df4e4393ef6efc24351e5bc0934916b : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 25600 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 52430848 | Size: 313006 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 693467136 | Size: 376797 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) VBTM Store 'n' Go USB Device +++++
--- User ---
[MBR] 82109384f09e68f403c3cb72f078bcec
[BSP] f6e5c8791cf3b5cb98fd55304feb305a : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 4 | Size: 242 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_12062013_140903.txt >>

buttercream
2013-12-06, 21:46
Sorry here are the system info of the comp

11087

buttercream
2013-12-06, 22:06
I just noticed that I had a usb device plugged in and it showed up on the report - just ignore the Rogue killer results posted for the "PHYSICALDRIVE1 @ USB - VBTM Store 'n' Go USB Device" - also maybe check over the blow report listed too, sorry for that.

:red:

tashi
2013-12-07, 02:13
Hello buttercream,

If you have an infected personal computer and wish to request assistance in this forum; the FAQ includes guidelines in post #1 and instructions in post #2 on how to provide the preliminary DDS and aswMBR logs used for analysis. :)

http://forums.spybot.info/showthread.php?t=288

You would need to start a new topic providing those logs only and a link back to this one.

Best regards.