Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - HackedPwned

Pages: [1]
1
RogueKiller / Re: [Split]Proc.Injected
« on: April 25, 2016, 12:11:25 AM »
Hi Curson, how are you :) ?

Quote from: Curson
That will be the case in the next version of RogueKiller.
Good :) !

Quote from: Curson
Many thanks. That much appreciated. :)
You're welcome :) !

Quote from: Curson
How many memory is installed on your computer ?
I have 16 GB of memory installed.
The pagefile setting is manualy set to 2 GB :).

Best regards :) !

2
RogueKiller / Re: [Split]Proc.Injected
« on: April 22, 2016, 01:41:55 AM »
Hello !

Sorry for this late answer, but I have not been alerted a new reply has been posted, because the topic has been moved :).

Quote from: Curson
Did RogueKiller asked you to upload a file to VirusTotal during the scan ?
Nop :) !

Quote from: Curson
Would you agree to help us troubleshooting this issue ?
Yes, I want :).

Quote from: Curson
If so, please follow the following process :.......
Ok, the command seems not ok : it display the "command / usage list" of procdump.
I read the manual, and it seems that the dump path is missing. So I have modified the command by :

Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x c:\test\ I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe"
And the Roguekiller launched :). But maybe my command is'nt good, I don't know :(.

I lauched the scan, and the system freeze instantaneously when Roguekiller scan Msi Afterburner service, as expected.
Really instantaneously...
So no, the memory usage was very good until there...

I hard reseted my PC, and I have not found *.dmp file anywhere, either on the "test" folder or elsewhere.
I think the crash comes too suddenly for make a dump :/.

If you have suggestions... ;).

3
RogueKiller / Re: [Split]Proc.Injected
« on: April 20, 2016, 11:23:53 PM »
Quote from: Curson
Welcome to Adlice.com Forum. :)

Thank you :) !

Quote from: Curson
I advice you to delete these entries, they are known malwares.

Quote
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)
I had already done after my first analysis ;) !

Quote from: Curson
Could you please attach RogueKiller JSON report in your next reply and follow the following process ?
[...]
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Of course ;) !

I forgot to mention that the scan was systematically crash the system, each time the MSI Afterburner service was analyzed. (complete freeze of system --> hard reset).
So I had to leave Afterburner to start the analysis.

Thank's for your help ;) !

Cordially !

4
RogueKiller / [Split]Proc.Injected
« on: April 20, 2016, 06:46:53 PM »
Hello :) !

I think I have a false positive detection for the PRTG server process (Proc.Injected).
Please find below the log for the scan detection :).

Here the requested dump file, as shown on the front page :).

I think I have another false positive : drmk.sys (File.Forged). Virustotal not found malicious modification.


Code: [Select]
RogueKiller V12.1.3.0 (x64) [Apr 18 2016] (Premium) par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 10 (10.0.10586) 64 bits version
Démarré en  : Mode normal
Utilisateur : HackedPwned [Administrateur]
Démarré depuis : I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe
Mode : Scan -- Date : 04/20/2016 17:01:13

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] PRTG Server.exe(2776) -- C:\Program Files (x86)\PRTG Network Monitor\64 bit\PRTG Server.exe[x] -> Trouvé(e)

¤¤¤ Registre : 26 ¤¤¤
[Hj.Name] (X64) HKEY_USERS\RK_Default_ON_I_90E5\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [x] -> Trouvé(e)
[Hj.Name] (X86) HKEY_USERS\RK_Default_ON_I_90E5\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [x] -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\RK_home_ON_S_EF3D\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=7829E693&p2=^GR^mni000^YYA&ptb=8127F99C-A03B-438A-9DCF-906602EA39CC  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\RK_home_ON_S_EF3D\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=7829E693&p2=^GR^mni000^YYA&ptb=8127F99C-A03B-438A-9DCF-906602EA39CC  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Search Page : https://safesearch.avira.com/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Search Page : https://safesearch.avira.com/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\RK_HackedPwned_ON_I_B1B6\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\RK_HackedPwned_ON_I_B1B6\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{797f2ae7-8bcd-483a-b1b9-a1b0e8c2caef} | DhcpNameServer : 172.20.10.1 ([])  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{797f2ae7-8bcd-483a-b1b9-a1b0e8c2caef} | DhcpNameServer : 172.20.10.1 ([])  -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\RK_Administrateur_ON_I_FD0C\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\RK_Administrateur_ON_I_FD0C\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 1 ¤¤¤
[File.Forged][Fichier] C:\Windows\System32\drivers\drmk.sys -> Trouvé(e)

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) user32!GetAncestor : Unknown @ 0x7fff46a90028 (jmp 0xfffffffffaeccb68)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 EVO 120G SCSI Disk Device +++++
--- User ---
[MBR] f75628e1770769cd2267b90a3f275402
[BSP] 54ee229f897f6b2938dc6e67657d6e2a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 102924 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG HD502HJ SCSI Disk Device +++++
--- User ---
[MBR] a93e8416daa214812d79b652c190449c
[BSP] df26c6a7183131d0eefab50d7b285b18 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WDC WD20EARS-00MVWB0 SCSI Disk Device +++++
--- User ---
[MBR] 1f2b74ea8cb7e33442085875b2cbef5c
[BSP] b2d2b4d3ad154532792d8e8d8e606a68 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 518605 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1062121408 | Size: 512000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2110700024 | Size: 512001 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 3159279616 | Size: 365111 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: ST1000DM 003-9YN162 USB Device +++++
--- User ---
[MBR] e83ba18959b82e6981de2c9b84d914a5
[BSP] df4007336cad0c923ee37fe0ba411fca : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

Best regards :) !

HackedPwned

Pages: [1]