Adlice forum

Software feedback => RogueKiller => Topic started by: KOTARE on December 30, 2014, 05:34:51 PM

Title: Anti-rookit results? Unsure what to do with these
Post by: KOTARE on December 30, 2014, 05:34:51 PM

Hi all.

I can't select these items in RK to be deleted - I'm unsure what to do with them.
JG

Can't UL file so listed below:


RogueKiller V10.0.0.0 (x64) [Oct  7 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : KINGFISHER [Administrator]
Mode : Scan -- Date : 12/31/2014  00:25:17

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Loaded) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass5 : \Driver\SynTP @ \Device\0000009d (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass4 : \Driver\SynTP @ \Device\0000009b (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\SynTP @ \Device\00000099 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\00000098 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\0000008e (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[EAT:Addr] (explorer.exe) samcli.dll - DllCanUnloadNow : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb222350
[EAT:Addr] (explorer.exe) samcli.dll - DllGetClassObject : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb222130
[EAT:Addr] (explorer.exe) samcli.dll - DllRegisterServer : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb221f70
[EAT:Addr] (explorer.exe) samcli.dll - DllUnregisterServer : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb222060

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6465GSX +++++
--- User ---
[MBR] c4a7161b6a04617324ada1e8e6e99a35
[BSP] f22a1020c3ae33691ec4576bb324c392 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 610378 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD7500BPKT-22PK4T0 +++++
--- User ---
[MBR] 27c661ad256d5194ac156f6352a0dc47
[BSP] b3b20bb8709b3c4333c1f43f4f99ef5d : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715402 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TOSHIBA External USB 3.0 USB Device +++++
--- User ---
[MBR] 00c00502dc4d8d07c9cdb3708859a264
[BSP] f95a0069f0928bdfcf078dd2b93016b5 : HP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_07262014_211846.log - RKreport_DEL_07262014_213155.log - RKreport_DEL_10082014_212938.log - RKreport_DEL_12302014_235711.log
RKreport_DEL_12302014_235740.log - RKreport_DEL_12312014_001904.log - RKreport_SCN_07262014_211836.log - RKreport_SCN_07262014_212939.log
RKreport_SCN_10062014_190124.log - RKreport_SCN_10082014_212200.log - RKreport_SCN_10082014_213146.log - RKreport_SCN_12302014_235146.log
RKreport_SCN_12312014_001614.log

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: Tigzy on December 30, 2014, 06:47:51 PM

Please download the latest version and retry :)

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: KOTARE on January 01, 2015, 01:11:55 AM

Hi there.  This IS from your website, I downloaded the most recent version, however when I run it it keeps telling me it's outdated.  Do you have a direct link to the newest version at all?

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: Tigzy on January 02, 2015, 09:06:24 AM

http://www.adlice.com/softwares/roguekiller/
Don't download from Fosshub link, they have an issue with updates...
You can try the Cloud/Local links.

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: KOTARE on January 02, 2015, 04:23:31 PM

Ok so I've reDL'd the exe - it's v10.1.1

I've done a scan and added the log below.  There is still no box to check the files to delete them - should there be?
J


RogueKiller V10.1.1.0 (x64) [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : KINGFISHER [Administrator]
Mode : Scan -- Date : 01/02/2015  23:19:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 5 (Driver: Loaded) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass5 : \Driver\SynTP @ \Device\0000009f (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass4 : \Driver\SynTP @ \Device\0000009a (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\SynTP @ \Device\00000098 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\00000097 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\0000008d (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6465GSX +++++
--- User ---
[MBR] c4a7161b6a04617324ada1e8e6e99a35
[BSP] f22a1020c3ae33691ec4576bb324c392 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 610378 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD7500BPKT-22PK4T0 +++++
--- User ---
[MBR] 27c661ad256d5194ac156f6352a0dc47
[BSP] b3b20bb8709b3c4333c1f43f4f99ef5d : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715402 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_01012015_080120.log - RKreport_DEL_07262014_211846.log - RKreport_DEL_07262014_213155.log - RKreport_DEL_10082014_212938.log
RKreport_DEL_12302014_235711.log - RKreport_DEL_12302014_235740.log - RKreport_DEL_12312014_001904.log - RKreport_SCN_07262014_211836.log
RKreport_SCN_07262014_212939.log - RKreport_SCN_10062014_190124.log - RKreport_SCN_10082014_212200.log - RKreport_SCN_10082014_213146.log
RKreport_SCN_12302014_235146.log - RKreport_SCN_12312014_001614.log - RKreport_SCN_12312014_002516.log

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: Tigzy on January 02, 2015, 05:05:54 PM

No it's normal. Can you upload
C:\Windows\system32\DRIVERS\o2mdgx64.sys on virus total and give the link to the results?

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: KOTARE on January 03, 2015, 01:23:22 AM

I've installed Virustotal but it will not let me UL that file.  Any other options?

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: Curson on January 04, 2015, 12:52:50 AM

Hi KOTARE,

Could you please explain as clearly as possible what problems you encountered ?
Please follow the following process to analyse the file.

1. Show Hidden Files and Folders

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:

•     Hide extensions for known file types
  
•     Hide protected operating system files (Recommended)
  

You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:

• Show hidden files and folders
  

Click Apply and then click OK

2. Upload a file

Go to VirusTotal (https://www.virustotal.com)
When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

Code: [Select]

C:\Windows\system32\DRIVERS\o2mdgx64.sys
If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.

Regards.

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: KOTARE on January 04, 2015, 02:21:01 AM

Hi there.

I've followed those options.  I now see the file in my browser, but not in the Virus Total browser.  Any other options?

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: Curson on January 04, 2015, 03:14:25 AM

Hi KOTARE,

Could you try to attach the file on your next post ? If you do so, I will upload it to VT myself.

Regards.

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: Tigzy on January 05, 2015, 10:49:50 AM

AFAIR, x86 web browsers are not able to browse inside Sys32 folder.
You need to copy/paste the file on the desktop prior to upload it to Virus Total (with your windows explorer)

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: KOTARE on January 06, 2015, 12:02:29 AM

:)

Thanks

Title: Re: Anti-rookit results? Unsure what to do with these
Post by: Curson on January 06, 2015, 04:23:57 PM

Hi KOTARE, Tigzy,

Many thanks for the tip Tigzy, I wasn't aware of this behaviour.

The driver is legit and will be whitelisted in a next release of RogueKiller.

Regards.