Adlice forum
Software feedback => RogueKiller => Topic started by: firefoxthebomb on March 17, 2015, 03:49:54 PM
-
I am trying to use RogueKiller v10.5.5.0x64 to scan a couple of computers with Symantec Endpoint Protection v12.1.5 (a couple to confirm I get the same results). During the pre-scan process it stops scanning once it hits 80% and while checking services: NAVENG. I attached the screenshot. Also I was trying to get a dump using Process explorer, but RogueKiller also kills the process before I can use it to get the dump.
Any help appreciated... This has been happening for a few versions back as well.
-
Hi firefoxthebomb,
Welcome to Adlice.com Forum!
The behaviour you described is a known bug. We strive to solve it as soon as possible.
Regards.
-
Thanks for the Welcome! 8)
Thanks for getting back to me, I figured as much just thought I would share it just in case the info was needed or further testing was required. Look forward to a fix.
In the meantime, is there a work around?
-
Hi firefoxthebomb,
You are very welcome. :)
Your contribution to RogueKiller is appreciated.
Regarding the bug, there is unfortunately no workaround available at the moment, except to realize the scan in Safe mode.
I will keep you informed of developments about this particular issue.
Regards.
-
Thanks for the additional update, I will try in safe mode, Windows 8 is a little trickier to get to safe mode....
Anyway look forward to an update and fix. Thanks
-
Hi firefoxthebomb,
You are welcome.
This guide might help you to reboot into Safe mode : How To Boot Into Safe Mode On Windows 8 or 8.1 (The Easy Way) (http://www.howtogeek.com/107511/how-to-boot-into-safe-mode-on-windows-8-the-easy-way/).
Regards.
-
Thanks for that info, also I noticed there was a new update v10.5.7... This version works now, as it does not get stuck, however I still get an error or process terminated for Symantec Endpoint Protection... See image.
When I ran the scan it got stuck at 3% and now says not responding... let it sit for a while and it came back, will let you know if it completes...
-
Well the scan did go up to 4% and then locked up once again, then would not move from there. I ended the task in task manager and then re-launched rouguekiller. This time it completed the prescan and also was able to complete the scan I ran. The report is below if that helps with the fixing of the issue...
RogueKiller V10.5.7.0 (x64) [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Firefox [Administrator]
Started from : C:\temp\RogueKillerX64 V10.5.7.exe
Mode : Scan -- Date : 03/22/2015 19:54:54
¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) IDSVia64 -- \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys[7] -> ERROR [41c]
¤¤¤ Registry : 16 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IDSVia64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150320.011\IDSvia64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150322.001\EX64.SYS) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5DAE4AA5-F8AA-41C4-8B74-4CFFDBC08E87} | NameServer : 209.18.47.61,209.18.47.62 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net
¤¤¤ Antirootkit : 27 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\drivers\symefasi\0500010.01F\symefasi.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\drivers\symefasi\0500010.01F\symefasi.sys)
[IAT:Addr(Hook.IEAT)] (iexplore.exe) msvcrt.dll - memcpy : C:\Program Files (x86)\Stardock\ObjectDockPlus2\Dock64.dll @ 0x2eb8030
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileA : @ 0x0 ()
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] ljcy9al9.default : user_pref("browser.startup.homepage", "https://forums.malwarebytes.org/|http://www.bleepingcomputer.com/forums/|http://www.systemlookup.com/"); -> Found
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103UJ ATA Device +++++
--- User ---
[MBR] 074b342e6503d998a5f55dd94a2f3549
[BSP] 3cfc57663abb2195f66e045b394cdbf0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 976762880 | Size: 476933 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: SAMSUNG HD103UJ ATA Device +++++
--- User ---
[MBR] a3e94eac8201feabc51ff6a00d3a1123
[BSP] e3b27120b8c9e7a10f8d5b6df0d6a6da : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: TEAC USB HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive3: TEAC USB HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive4: TEAC USB HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive5: TEAC USB HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive6: KANGURU SS3 USB Device +++++
--- User ---
[MBR] 39d4b669dd54e10382bd49dd16a68f0a
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 60300 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_SCN_03222015_194500.log
-
Hi firefoxthebomb,
Thanks for the heads-up.
There indeed remains a problem with Symantec Endpoint Protection. It is currently under investigations.
Regards.
-
Thanks for the continued info, hope you guys nail it down, as I have that setup on many computers.
Look forward to the fix.
-
Hi firefoxthebomb,
You are very welcome.
I will keep you informed in this thread about the evolution of the issue.
Regards.
-
Curson just an FYI... I downloaded version 10.5.8x64 and tried this version to see if I still got the same errors. I was able to complete a Pre-scan with no detections about Symantec Endpoint Protection, I did however get a false positive with Malwarebytes Secure backup. See log below:
RogueKiller V10.5.8.0 (x64) [Mar 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : owner [Administrator]
Started from : L:\Flash Drives\128GB Flash Drive Backup\Tech CD\Utils\Ad Aware\Bleeping Computer Stuff\RogueKiller by tigzy\RogueKillerX64 V10.5.8.exe
Mode : Scan -- Date : 03/30/2015 11:10:32
¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] mbsbscan.exe(9528) -- C:\Program Files (x86)\Malwarebytes Secure Backup\mbsbscan.exe[7] -> Killed [TermProc]
¤¤¤ Registry : 9 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 36 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net
¤¤¤ Antirootkit : 52 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtProtectVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtAllocateVirtualMemory : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessInternalA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - MoveFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateFileA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CopyFileA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenUrlW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - WinExec : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHELL32.dll - ShellExecuteW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFileExW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToFileW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLOpenBlockingStreamW : @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - URLDownloadToCacheFileW : @ 0x0 ()
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] hcdjlx88.default : user_pref("browser.startup.homepage", "http://www.bleepingcomputer.com/forums/|https://forums.malwarebytes.org/|http://www.systemlookup.com/"); -> Found
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] 9a58401060fd78b7ced0042be99fe3e8
[BSP] a4478fcfe5b4c86f09d53598ed58a5e2 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 750 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1617920 | Size: 367112 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 753463296 | Size: 1539826 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
+++++ PhysicalDrive1: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] d4ecfbd1a1d3c4917af6d6d28c8c95d7
[BSP] 6f5fe8da57fa68252ca31cc6e5d209fd : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
+++++ PhysicalDrive2: Kanguru SS3 USB Device +++++
--- User ---
[MBR] 94f9443d96441ecfcdafb5853a2e8a7e
[BSP] 39eaafe8c7c2f2a60c9df4ab5a671e21 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 120348 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive3: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive4: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive5: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive6: Generic- M.S./M.S.Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
-
Hi firefoxthebomb,
I'm really glad to hear that the incompatibilities with Symantec Endpoint Protection are now solved. :)
[Tr.Zeus] mbsbscan.exe(9528) -- C:\Program Files (x86)\Malwarebytes Secure Backup\mbsbscan.exe[7] -> Killed [TermProc]
Thanks for bringing this to our attention. This false positive will be fixed in RogueKiller next version.
Regards.
-
Just tested version 10.5.9.0 (x64) and no problems with Symantec Endpoint Protection and also thanks for fixing the false positive with Malwarebytes Secure backup, it is no longer detected.
Great Work!
-
Hi firefoxthebomb,
You are very welcome.
Thanks for the feedback.
Regards.