Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - jayh

Pages: [1]
1
RogueKiller / Is this malware? "\Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog
« on: January 16, 2015, 04:25:12 PM »
Hi All,

After running Roguekiller on my Vista SP2 64bit Dell Studio 1537 laptop, items were listed in RED under the Antirootkit tab, and listed in the Antirootkit section of the report.

¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤

[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass6 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass5 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass4 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)

These are concerning as they are listed in RED.
When the cursor is hovered over them this message appears: "Critical - the item is malware and should be removed"

Researching on the web I found information that appears to show that Watchdog.sys is a Microsoft OS driver used to monitor thread usage of display drivers.

From http://msdn.microsoft.com/en-us/library/ff553890.aspx :
"In Microsoft Windows XP SP1 and later operating systems, GDI uses a watchdog timer to monitor the time that threads spend executing in the display driver. The watchdog defines a time threshold. If a thread spends more time in a display driver than the threshold specifies, the watchdog tries to recover by switching to VGA graphics mode."

And - the file properties appear to be properties of a legitimate Microsoft file.
See attached screenshot "Watchdog.sys properties.jpg"

Also the listings show "\Driver\vmkbd".
Does this mean virtual machine keyboard?
VMware Workstation is installed on this laptop.
Could these entries be related to the virtual machines created on this laptop, and therefore not harmful?

Should these entries be whitelisted?
Or -
Are these keyloggers? Are these malware? And should they be deleted?
Are there other steps that should be taken?

If they are malware could you please explain:
how you know that, what they are, and what most likely is the name of the malware that caused it.
And any other steps that should be taken.

Your help is greatly appreciated.
Thanks very much!

2
RogueKiller / Is this malware? " \Winlogon | Shell : cmd.exe /k start cmd.exe "
« on: January 13, 2015, 04:27:47 AM »
Hi All,

New to this and would be grateful for any assistance.

My email account was hacked and I wanted to make sure my computer was clean.

Found out about RogueKiller in a thread on Malwarebytes forum that recommended using RogueKiller and other tools:

(RKill, MalwareBytes, RogueKiller, Junkware Removal Tool, AdwCleaner, ESET, Farbar Recovery Scan Tool, ComboFix, JavaRa, TFC, TDSSkiller, Security Check)

and ran them on my Vista SP2 64bit Dell Studio 1537 laptop.

All items found have been identified as ok except for things RogueKiller found.

Kernel Filters:
In Registry section (in RED under Registry tab):
¤¤¤ Registry : 30 ¤¤¤
[Hj.RegVal] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_CF06\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe  -> Found
[Hj.RegVal] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_CF06\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe  -> Found

These two are concerning as they are listed in RED.
When cursor is hovered over them this message appears: "Critical - the item is malware and should be removed"
Would like confirmation.
Are these malware? And should they be deleted?
Are there other steps that should be taken?

Also -
In Antirootkit section (in ORANGE under Antirootkit tab)
¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\DRIVERS\rimmpx64.sys)
Is this malware? And should it be deleted?
Are there other steps that should be taken?

In Processes section (in ORANGE under Processes tab)
¤¤¤ Processes : 5 ¤¤¤
[Suspicious.Path] httpd.exe(2448) -- C:\ProgramData\SingleClick Systems\apache\bin\httpd.exe[-] -> Killed [TermProc]
[Suspicious.Path] httpd.exe(2544) -- C:\ProgramData\SingleClick Systems\apache\bin\httpd.exe[-] -> Killed [TermProc]
[Suspicious.Path] mysqld.exe(3448) -- C:\ProgramData\SingleClick Systems\MySQL\bin\mysqld.exe[-] -> Killed [TermProc]
[Suspicious.Path] dsl_fs_sync.exe(3584) -- C:\ProgramData\SingleClick Systems\Remote Access File Sync Service\dsl_fs_sync.exe[7] -> Killed [TermProc]
[Suspicious.Path] hnm_svc.exe(3836) -- c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[7] -> Killed [TermProc]

Researching these I believe they were part of networking software installed as part of the factory image on Dell Laptops.
Should they be whitelisted?

Any help greatly appreciated.
Thanks!

Pages: [1]