Adlice forum

Software feedback => RogueKiller => Topic started by: Nick_Mukola on October 09, 2014, 12:44:27 AM

Title: Need help experts!
Post by: Nick_Mukola on October 09, 2014, 12:44:27 AM

Hi guys!
Please tell me what to do with this?!
Everything that could have removed with the help of your program, and the left is ...
It was what that two processes:
=====================
¤¤¤ Processes : 2 ¤¤¤
[Proc.Hidden]  --

• -> Killed [TermThr]

[Proc.Hidden]  --

• -> Killed [TermThr]

=====================
and a program RogueKiller remove them)))

You're here is, tell me what to do with it:
=====================
¤¤¤ Antirootkit : 8 (Driver: Loaded) ¤¤¤
[Filter()] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\Drivers\crashdmp.sys)
[EAT:Addr] (explorer.exe) ieproxy.dll - DllCanUnloadNow : C:\Windows\system32\UIRibbon.dll @ 0x69124b75
[EAT:Addr] (explorer.exe) ieproxy.dll - DllGetClassObject : C:\Windows\system32\UIRibbon.dll @ 0x690c99e6
[EAT:Addr] (explorer.exe) ieproxy.dll - DllMain : C:\Windows\system32\UIRibbon.dll @ 0x69021276
[EAT:Addr] (explorer.exe) rtutils.dll - DllCanUnloadNow : C:\Windows\system32\prnfldr.dll @ 0x71f210a9
[EAT:Addr] (explorer.exe) rtutils.dll - DllGetClassObject : C:\Windows\system32\prnfldr.dll @ 0x71f2234c
[EAT:Addr] (explorer.exe) rtutils.dll - DllRegisterServer : C:\Windows\system32\prnfldr.dll @ 0x71f4ab95
[EAT:Addr] (explorer.exe) rtutils.dll - DllUnregisterServer : C:\Windows\system32\prnfldr.dll @ 0x71f4ab95

=====================
And still confuse me these lines:

===============
User = LL1 ... OK
Error reading LL2 MBR! ([1] ???????? ???????.)
===============
Be in charge of some sort of a new infection, have tried a bunch of anti-virus and nothing helps (soon to become an expert yourself), and your program different from the others though that I saw!
Thanks in advance for your help!

Title: Re: Need help experts!
Post by: Tigzy on October 09, 2014, 07:36:06 AM

Hello
The hidden process issue is known, we're working on it.

The driver section has several false positives that we'll fix for the next release.

Title: Re: Need help experts!
Post by: Nick_Mukola on October 09, 2014, 03:03:55 PM

Hello Tigzy!
That is, you want to say that everything is fine and that false positives in your program ?!
Well we will wait for your new release of the program)))

Title: Re: Need help experts!
Post by: Tigzy on October 09, 2014, 03:27:58 PM

Yes, exactly. Tthat hidden process detection will be more verbose in the next release, and tell what process it is.
That'll maybe help to understand why they are detected.

Nothing else to do for you.

Title: Re: Need help experts!
Post by: Nick_Mukola on November 25, 2014, 02:36:08 PM

Quote from: Tigzy on October 09, 2014, 03:27:58 PM

Yes, exactly. Tthat hidden process detection will be more verbose in the next release, and tell what process it is.
That'll maybe help to understand why they are detected.

Nothing else to do for you.

What is your program sees nothing else, a feeling that your program is beginning to miss this unknown mysterious process ... = (
After checking your program throws me here on this page
http://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/
And what do I do next ?! I just do not know much what to do next ...

By the way forgot to tell you, this mysterious process sees the program Kerish Doctor 2014

When I boot from disk "Windows 8" and run the program AVZ it shows such strangeness as in the screenshot, As you can see again pops up this strange address "SystemRoot \ System32 \ drivers \ cdrom.sys"

Title: Re: Need help experts!
Post by: Nick_Mukola on November 25, 2014, 02:50:35 PM

More no other programs do not respond to this mysterious process at startup, only your program sees it and Kerish Doctor 2014

Just finished checking your program and again there are these lines are not clear ...
¤¤¤ Antirootkit : 66 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\drivers\fwpkclnt.sys)
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcAsyncCompleteCall : C:\Windows\system32\WINSPOOL.DRV @ 0x743fd8a8
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingSetAuthInfoExW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1f6
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingSetObject : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb67
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcStringBindingComposeW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1ef
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingFromStringBindingW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1e8
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingSetOption : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb49
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingFree : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa20b
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcStringFreeW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1fd
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - I_RpcExceptionFilter : C:\Windows\system32\WINSPOOL.DRV @ 0x744081f9
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - NdrAsyncClientCall : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb5d
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - NdrClientCall2 : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa204
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcSmDestroyClientContext : C:\Windows\system32\WINSPOOL.DRV @ 0x74408225
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcAsyncInitializeHandle : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb53
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcMgmtIsServerListening : C:\Windows\system32\WINSPOOL.DRV @ 0x74408203
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcRaiseException : C:\Windows\system32\WINSPOOL.DRV @ 0x744081ef
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcAsyncCancelCall : C:\Windows\system32\WINSPOOL.DRV @ 0x744081e5
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcEpResolveBinding : C:\Windows\system32\WINSPOOL.DRV @ 0x7440849a
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\WINSPOOL.DRV @ 0x744082fa
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\WINSPOOL.DRV @ 0x744082e6
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\WINSPOOL.DRV @ 0x7440834c
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\WINSPOOL.DRV @ 0x74408342
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoUninitialize : C:\Windows\system32\WINSPOOL.DRV @ 0x744082f0
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoGetApartmentType : C:\Windows\system32\WINSPOOL.DRV @ 0x7440820d
[IAT:Addr] (explorer.exe @ VERSION.dll) DSROLE.dll - DsRoleFreeMemory : C:\Windows\system32\WINSPOOL.DRV @ 0x74408247
[IAT:Addr] (explorer.exe @ VERSION.dll) DSROLE.dll - DsRoleGetPrimaryDomainInformation : C:\Windows\system32\WINSPOOL.DRV @ 0x7440822f
[IAT:Addr] (explorer.exe @ VERSION.dll) netutils.dll - NetApiBufferFree : C:\Windows\system32\WINSPOOL.DRV @ 0x7440824e
[IAT:Addr] (explorer.exe @ VERSION.dll) logoncli.dll - DsGetDcNameW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408266
[IAT:Addr] (explorer.exe @ VERSION.dll) DNSAPI.dll - DnsNameCompare_W : C:\Windows\system32\WINSPOOL.DRV @ 0x7440829d
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l1-1-0.dll - CloseServiceHandle : C:\Windows\system32\WINSPOOL.DRV @ 0x7440833b
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l1-1-0.dll - OpenSCManagerW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408304
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l1-1-0.dll - OpenServiceW : C:\Windows\system32\WINSPOOL.DRV @ 0x7440831c
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l2-1-0.dll - QueryServiceConfigW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408323
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-security-sddl-l1-1-0.dll - ConvertSidToStringSidW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fc73d
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetForegroundWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x744083e2
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetDesktopWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440845a
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetWindowLongW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408450
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetWindowLongW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408446
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - EndDialog : C:\Windows\system32\WINSPOOL.DRV @ 0x7440843c
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SendDlgItemMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408432
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetWindowPos : C:\Windows\system32\WINSPOOL.DRV @ 0x74408428
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetActiveWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440841e
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - MessageBoxW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408414
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SendNotifyMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408356
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - DispatchMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408360
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440836a
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - EnableWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x74408374
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - AllowSetForegroundWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440837e
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - IsWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x74408388
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - MsgWaitForMultipleObjectsEx : C:\Windows\system32\WINSPOOL.DRV @ 0x74408392
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - PeekMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x7440839c
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetGUIThreadInfo : C:\Windows\system32\WINSPOOL.DRV @ 0x744083a6
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - TranslateMessage : C:\Windows\system32\WINSPOOL.DRV @ 0x744083b0
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetFocus : C:\Windows\system32\WINSPOOL.DRV @ 0x744083ba
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetParent : C:\Windows\system32\WINSPOOL.DRV @ 0x744083c4
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - DialogBoxParamW : C:\Windows\system32\WINSPOOL.DRV @ 0x744083ce
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetFocus : C:\Windows\system32\WINSPOOL.DRV @ 0x744083d8
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetDlgItemTextW : C:\Windows\system32\WINSPOOL.DRV @ 0x7440840a
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - IsImmersiveProcess : C:\Windows\system32\WINSPOOL.DRV @ 0x743ffd7e
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetLastActivePopup : C:\Windows\system32\WINSPOOL.DRV @ 0x744083ec
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - MsgWaitForMultipleObjects : C:\Windows\system32\WINSPOOL.DRV @ 0x744083f6
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - PostQuitMessage : C:\Windows\system32\WINSPOOL.DRV @ 0x74408400
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - GetDeviceCaps : C:\Windows\system32\WINSPOOL.DRV @ 0x7440846e
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - CreateDCW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408464
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - GdiIsUMPDSandboxingEnabled : C:\Windows\system32\WINSPOOL.DRV @ 0x743fc6b8
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - DeleteDC : C:\Windows\system32\WINSPOOL.DRV @ 0x74408478