Adlice forum

General Category => Malware removal help => Topic started by: BillParker on December 30, 2014, 06:41:14 PM

Title: Root Keylogger
Post by: BillParker on December 30, 2014, 06:41:14 PM

Have ran RogueKiller three times.  Just ran it for the third time and Under "Registry" it found 6 items all type PUM.Dns.  Under "AntiRootkit" it found several items that it highlighted green and two items it highlighted red.  The two red items are listed under Detection as Filter: (Root.Keylogger).  I have no idea how to proceed - what to do.  Please help.

Can I simply "Restore" the computer to an earlier time to get rid of any malware/virus/key.logger/etc.?

Title: Re: Root Keylogger
Post by: Tigzy on December 30, 2014, 06:47:24 PM

Hello
Can you please post the report?

Title: Re: Root Keylogger
Post by: BillParker on December 30, 2014, 06:49:30 PM

How do I post it?

Title: Re: Root Keylogger
Post by: BillParker on December 30, 2014, 06:50:44 PM

RogueKiller V10.1.1.0 (x64) [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Relax [Administrator]
Mode : Scan -- Date : 12/30/2014  11:17:01

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.128.128.128  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.128.128.128  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.128.128.128  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0AAB602D-30F1-4657-931A-FD8197C3902F} | DhcpNameServer : 10.128.128.128  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0AAB602D-30F1-4657-931A-FD8197C3902F} | DhcpNameServer : 10.128.128.128  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0AAB602D-30F1-4657-931A-FD8197C3902F} | DhcpNameServer : 10.128.128.128  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\00000082 (\SystemRoot\system32\DRIVERS\FwLnk.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\00000070 (\SystemRoot\system32\DRIVERS\FwLnk.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 29d01b0b9268ccf78551fec292f699cf
[BSP] c3795601d96ffaea385bdd3005be7ae0 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 464879 MB
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 955146240 | Size: 10560 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_12272014_212034.log - RKreport_DEL_12302014_103749.log - RKreport_SCN_12272014_205329.log - RKreport_SCN_12302014_101920.log

Title: Re: Root Keylogger
Post by: Tigzy on December 31, 2014, 01:14:54 PM

Looks like FwLnk.sys is related to Toshiba, it will be whitelisted.
http://www.runscanner.net/lib/FwLnk.sys.html