Adlice forum

Software feedback => RogueKiller => Topic started by: BMYWin on June 15, 2014, 01:50:48 PM

Title: Question about the suspicious rootkits
Post by: BMYWin on June 15, 2014, 01:50:48 PM

HI,

I run RogueKiller yesterday and today. Found several result in AntiRootkit in Oranger Color.
Please see the following log.
RogueKiller V9.0.2.0 (x64) [Jun  3 2014] Adlice Software 設計製作
電子郵件 : http://www.adlice.com/contact/
意見反應 : http://forum.adlice.com
網站 : http://www.adlice.com/softwares/roguekiller/
部落格 : http://www.adlice.com

作業系統 : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
開始在 : 標準模式
使用者 : ASUS [系統管理員權限]
模式 : 掃瞄 -- 日期 : 06/15/2014  16:17:51

¤¤¤ 損壞的處理程序 : 0 ¤¤¤

¤¤¤ 系統登錄項目 : 0 ¤¤¤

¤¤¤ 計劃任務 : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS 檔 : 0 ¤¤¤

¤¤¤ Antirootkit : 4 ¤¤¤
[IAT:Addr] (explorer.exe) USER32.dll - SetWindowsHookExW : Unknown @ 0x80110000
[IAT:Addr] (explorer.exe) USER32.dll - SetWinEventHook : Unknown @ 0x80140000
[IAT:Addr] (explorer.exe) USER32.dll - PostMessageW : Unknown @ 0x801e0000
[IAT:Addr] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x806b0000

¤¤¤ Web瀏覽器 : 0 ¤¤¤

¤¤¤ MBR 檢查 : ¤¤¤
+++++ PhysicalDrive0: ST9500420AS +++++
--- User ---
[MBR] 04cfb08bc107f7626406b88eecec6eec
[BSP] 163e72ee9ba60bbc237696e1256886ae : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 25600 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 52430848 | Size: 204800 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 471861248 | Size: 246538 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_06142014_183839.log - RKreport_DEL_06142014_184736.log - RKreport_DEL_06142014_185346.log - RKreport_DEL_06142014_190337.log
RKreport_DEL_06142014_193211.log - RKreport_DEL_06152014_160023.log - RKreport_SCN_06142014_183709.log - RKreport_SCN_06142014_184715.log
RKreport_SCN_06142014_185142.log - RKreport_SCN_06142014_190218.log - RKreport_SCN_06142014_193008.log - RKreport_SCN_06152014_155146.log

Then I serach them in Google.
¤¤¤ Antirootkit : 4 ¤¤¤
SetWindowsHookExW
  It seems legit function from Microsfot
SetWinEventHook
  It seems legit function from Microsoft
PostMessageW
  It seems legit function from Microsoft
NtSetSystemInformation
  But it seems unknown fundtion.

Then I scan my PC with GMER, the log attahced as following:
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-06-14 19:43:25
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.0003 465.76GB
Running: kz6yj5my.exe; Driver: C:\Users\ASUS\AppData\Local\Temp\pxldrpoc.sys


---- Registry - GMER 2.1 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e                     
Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e0b9a5453a43                     
Reg  HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue            0x5C 0x00 0x52 0x00 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue                      0x5C 0x00 0x52 0x00 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue                   0x5C 0x00 0x52 0x00 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares@\xe65fK{                              CSCFlags=2048?MaxUses=4294967295?Path=D:\d\????\???Permissions=0?Remark=?ShareName=???Type=0?
Reg  HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares@6b\26YYex[                            CSCFlags=2048?MaxUses=4294967295?Path=D:\d\??????\?????Permissions=0?Remark=?ShareName=?????Type=0?
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) 
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e0b9a5453a43 (not active ControlSet) 
Reg  HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue                0x5C 0x00 0x52 0x00 ...
Reg  HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue                          0x5C 0x00 0x52 0x00 ...
Reg  HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue                       0x5C 0x00 0x52 0x00 ...
Reg  HKLM\SYSTEM\ControlSet002\services\LanmanServer\Shares@\xe65fK{                                  CSCFlags=2048?MaxUses=4294967295?Path=D:\d\????\???Permissions=0?Remark=?ShareName=???Type=0?
Reg  HKLM\SYSTEM\ControlSet002\services\LanmanServer\Shares@6b\26YYex[                                CSCFlags=2048?MaxUses=4294967295?Path=D:\d\??????\?????Permissions=0?Remark=?ShareName=?????Type=0?
Reg  HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue                                                0x5C 0x00 0x52 0x00 ...
Reg  HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue                                       0x5C 0x00 0x52 0x00 ...

---- EOF - GMER 2.1 ----
Question: Are they suspicious or not?

Title: Re: Question about the suspicious rootkits
Post by: Tigzy on June 16, 2014, 08:17:01 AM

Hello
Of course the functions are from Microsoft, they are APIs :)
A hook is a detour of such a function, to install a filter.

Here as the module is unknown, we cannot tell if it's suspicious or not.
We don't have other hints in the file, registry, ... sections so let it be, that's good.

Title: Re: Question about the suspicious rootkits
Post by: BMYWin on June 16, 2014, 09:21:22 AM

Hi, Tigzy,

Thank for your prompt reply.
I will watch them out. If anything wrong with my PC, I will rise my hand to ask quesiton. Thank you.