Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - AAVmech2141

Pages: [1]
1
RogueKiller / Re: ===> False Positives <===
« on: July 23, 2015, 07:26:24 PM »
Curson,

FYI rouge killer only acted like that to Symantec Endpoint Protection on 32 bit OS and not 64 bit

2
RogueKiller / Re: ===> False Positives <===
« on: July 23, 2015, 07:20:28 PM »
Curson,

Awesome thank you so much for your help.


3
RogueKiller / Re: ===> False Positives <===
« on: July 23, 2015, 02:50:00 PM »
Sorry I didn't catch that and thanks for working with me. It should be good now.

https://drive.google.com/file/d/0B-odu-iO-tYIa2VTa0tuRHFWNVU/view?usp=sharing

4
RogueKiller / Re: ===> False Positives <===
« on: July 22, 2015, 11:12:20 PM »
Here is the link for the taskeng.exe compressed file:

https://drive.google.com/open?id=0B-odu-iO-tYIa2VTa0tuRHFWNVU

Thank you!


5
RogueKiller / Re: ===> False Positives <===
« on: July 22, 2015, 05:35:45 PM »
Sorry, here is the complete log:

RogueKiller V10.9.3.0 [Jul 21 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Users\User\Downloads\RogueKiller.exe
Mode : Scan -- Date : 07/21/2015 16:08:39

¤¤¤ Processes : 30 ¤¤¤
[Proc.Injected] ccSvcHst.exe(3748) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe[7] -> Killed [TermProc]
[Proc.Injected] dwm.exe(3900) -- C:\Windows\System32\dwm.exe
  • -> [NoKill]
[Proc.Injected] taskhost.exe(3944) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] explorer.exe(3996) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxtray.exe(3240) -- C:\Windows\System32\igfxtray.exe[7] -> Killed [TermProc]
[Proc.Injected] hkcmd.exe(3528) -- C:\Windows\System32\hkcmd.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxpers.exe(3224) -- C:\Windows\System32\igfxpers.exe[7] -> Killed [TermProc]
[Proc.Injected] SPEnroll.exe(3984) -- C:\Windows\System32\SPEnroll.exe[7] -> Killed [TermProc]
[Proc.Injected] lync.exe(3740) -- C:\Program Files\Microsoft Office 15\root\office15\lync.exe[7] -> Killed [TermProc]
[Proc.Injected] AeXAgentUIHost.exe(5456) -- C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe[7] -> Killed [TermProc]
[Proc.Injected] OUTLOOK.EXE(4384) -- C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[7] -> Killed [TermProc]
[Proc.Injected] taskhost.exe(7844) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] hpqtra08.exe(760) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[7] -> Killed [TermProc]
[Proc.Injected] taskeng.exe(7420) -- C:\Windows\System32\taskeng.exe[7] -> Killed [TermProc]
[Proc.Injected] hpwuschd2.exe(6424) -- C:\Program Files\HP\HP Software Update\hpwuschd2.exe[7] -> Killed [TermProc]
[Proc.Injected] ScanToPCActivationApp.exe(2764) -- C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\ScanToPCActivationApp.exe[7] -> Killed [TermProc]
[Proc.Injected] rundll32.exe(3776) -- C:\Windows\System32\rundll32.exe[7] -> Killed [TermProc]
[Proc.Injected] iexplore.exe(6600) -- C:\Program Files\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Proc.Injected] EXCEL.EXE(7952) -- C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE[7] -> Killed [TermProc]
[Proc.Injected] AeXAgentUIHost.exe(6668) -- C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe[7] -> Killed [TermProc]
[Proc.Injected] ccSvcHst.exe(7960) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe[7] -> Killed [TermProc]
[Proc.Injected] dwm.exe(7776) -- C:\Windows\System32\dwm.exe
  • -> [NoKill]
[Proc.Injected] taskhost.exe(6096) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] explorer.exe(6976) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] hkcmd.exe(484) -- C:\Windows\System32\hkcmd.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxpers.exe(7056) -- C:\Windows\System32\igfxpers.exe[7] -> Killed [TermProc]
[Proc.Injected] SPEnroll.exe(5628) -- C:\Windows\System32\SPEnroll.exe[7] -> Killed [TermProc]
[Proc.Injected] mswinext.exe(5728) -- C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe[7] -> Killed [TermProc]
[Proc.Injected] hpwuschd2.exe(5508) -- C:\Program Files\HP\HP Software Update\hpwuschd2.exe[7] -> Killed [TermProc]
[Proc.Injected] hpqtra08.exe(1968) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : andeconnect.andent.andersonsinc.com  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-51550\Software\Microsoft\Internet Explorer\Main | Start Page : http://andeconnect.andent.andersonsinc.com/wps/portal/Andeconnect/andehome  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : andeconnect.andent.andersonsinc.com  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-51550\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-78429\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 45 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e11fee0f000000
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e11fee22000000
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x41e11200ca000000
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x41e108c571000000
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x41e11ff1f2000000
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x41e11ff070000000
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x41e11ff1b1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x41e11201e1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x41e11ff1c6000000
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x41e11ff00d000000
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x41e11200ea000000
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x41e11212b1000000
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x41e11ff085000000
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x41e11ff094000000
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x41e108eb4f000000
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x41e112129e000000
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x41e11ff05d000000
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x41e11201d0000000
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x41e11200db000000
[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x41e11ff037000000
[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x41e11201bf000000
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x41e11ff1dd000000
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x41e11ff19c000000
[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x41e11ff187000000
[SSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[277] : Unknown @ 0x41e11ff172000000
[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x41e11fee35000000
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x41e11fee6e000000
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x41e11fee81000000
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x41e11ff020000000
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x41e11ff04a000000
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x41e11fee48000000
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x41e1121598000000
[SSDT:Addr(Hook.SSDT)] unknown[371] : Unknown @ 0x41e11fee5b000000
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x41e112128b000000
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x41e11212c2000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x41e1564064000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x41e1550977000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x41e1561f69000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x41e1550885000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x41e1556f17000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x41e1504ce7000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x41e1563d98000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x41e0b5a2ff000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x41e1508cc5000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x41e0b58222000000

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST250DM000-1BD141 +++++
--- User ---
[MBR] aef303c4bef24d2153d8a81fad4f5016
[BSP] 000d6524b2f3e7099403d0f2ac284232 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 612 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1255424 | Size: 237861 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


6
RogueKiller / Re: ===> False Positives <===
« on: July 22, 2015, 04:43:07 PM »
I am wondering if someone could explain if these results are legitimate rootkits or not:

 ¤¤¤ Antirootkit : 45 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e11fee0f000000
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e11fee22000000
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x41e11200ca000000
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x41e108c571000000
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x41e11ff1f2000000
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x41e11ff070000000
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x41e11ff1b1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x41e11201e1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x41e11ff1c6000000
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x41e11ff00d000000

Pages: [1]