Messages

1

RogueKiller / Rootkit Detection - Pls Evaluate Report

« on: December 15, 2014, 02:14:07 AM »

Hi - Laptop has been acting funny...I am almost positive my new router got infected after I forgot to change the default PW for a few days.  I run Avast and MBAM actively and shut Defender off.  TDSSKiller is coming up clean.

Please note, first time I ran RK today, the initial scan turned off a MBAM process (a bit odd).  Then the next one found some PUM Reg. entries that I deleted (in addition to all the rootkit stuff).  This was the latest.  Thanks!

RogueKiller V10.1.0.0 (x64) [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Derek [Administrator]
Mode : Scan -- Date : 12/14/2014  20:04:19

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 8 (Driver: Loaded) ¤¤¤
[IAT:Inl] (chrome.exe) ntdll.dll - LdrUnloadDll : Unknown @ 0x7ffd55df075c (jmp 0xffffffff8018f41c)
[IAT:Inl] (chrome.exe) ntdll.dll - LdrLoadDll : Unknown @ 0x7ffd55df03a4 (jmp 0xffffffff80169654)
[IAT:Inl] (chrome.exe) ntdll.dll - LdrUnloadDll : Unknown @ 0x7ffd55df075c (jmp 0xffffffff8018f41c)
[IAT:Inl] (chrome.exe) ntdll.dll - LdrLoadDll : Unknown @ 0x7ffd55df03a4 (jmp 0xffffffff80169654)
[IAT:Inl] (chrome.exe) ntdll.dll - LdrUnloadDll : Unknown @ 0x7ffd55df075c (jmp 0xffffffff8018f41c)
[IAT:Inl] (chrome.exe) ntdll.dll - LdrLoadDll : Unknown @ 0x7ffd55df03a4 (jmp 0xffffffff80169654)
[IAT:Inl] (chrome.exe) ntdll.dll - LdrUnloadDll : Unknown @ 0x7ffd55df075c (jmp 0xffffffff8018f41c)
[IAT:Inl] (chrome.exe) ntdll.dll - LdrLoadDll : Unknown @ 0x7ffd55df03a4 (jmp 0xffffffff80169654)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] ab09653465709269358ca86c4345e29e
[BSP] 7ee15af64f1544c7ab9f5888cf56cf4c : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10102014_212827.log - RKreport_DEL_11112014_010526.log - RKreport_DEL_11112014_010741.log - RKreport_DEL_11282014_052614.log
RKreport_DEL_12142014_192540.log - RKreport_SCN_10102014_212517.log - RKreport_SCN_11112014_010301.log - RKreport_SCN_11112014_010726.log
RKreport_SCN_11282014_052344.log - RKreport_SCN_11282014_052847.log - RKreport_SCN_12142014_192425.log - RKreport_SCN_12142014_195416.log
RKreport_DEL_12142014_195656.log - RKreport_DEL_12142014_195720.log - RKreport_DEL_12142014_195722.log - RKreport_SCN_12142014_200014.log
RKreport_DEL_12142014_200110.log

2

RogueKiller / RK x64: Hidden processes, Registry Hits

« on: July 14, 2014, 10:32:45 PM »

Hi - I have already cleaned these items once, but they came back.  I am running windows 8.1 w/ Malwarebytes Real-time protection and the Windows embedded malware protection program (used to be MSE, not sure what it is called now).

One thing to note, this is my laptop and I remote connect into my desktop with Windows 7....through the desktop, I have recently accessed the virtual drive to run Windows XP mode with a couple programs...not sure if this made me vulnerable...the remote connecting and XP Mode is temporary and possibly even done with


Very much appreciate your help/advice

RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Derek [Admin rights]
Mode : Scan -- Date : 07/14/2014  16:27:52

¤¤¤ Bad processes : 2 ¤¤¤
[Proc.Hidden]  --

• -> KILLED [TermThr]

[Proc.Hidden]  --

• -> KILLED [TermThr]

¤¤¤ Registry Entries : 6 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SWUpdateService -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SWUpdateService -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3345471694-2689826623-465696368-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3345471694-2689826623-465696368-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3345471694-2689826623-465696368-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3345471694-2689826623-465696368-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] ab09653465709269358ca86c4345e29e
[BSP] 7ee15af64f1544c7ab9f5888cf56cf4c : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_06302014_073846.log - RKreport_DEL_06302014_074303.log - RKreport_DEL_07032014_003308.log - RKreport_DEL_07042014_192104.log
RKreport_SCN_06302014_073823.log - RKreport_SCN_06302014_074210.log - RKreport_SCN_07032014_003016.log - RKreport_SCN_07042014_191752.log

3

RogueKiller / Hidden Processes

« on: July 05, 2014, 01:20:56 AM »

Hi, RK has been finding these hidden processes.  I appreciate any help or advice on this...thanks!

RogueKiller V9.1.0.0 (x64) [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Derek [Admin rights]
Mode : Scan -- Date : 07/04/2014  19:17:52

¤¤¤ Bad processes : 2 ¤¤¤
[Hidden]  --

• -> KILLED [TermThr]

[Hidden]  --

• -> KILLED [TermThr]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] ab09653465709269358ca86c4345e29e
[BSP] 7ee15af64f1544c7ab9f5888cf56cf4c : Unknown MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_06302014_073846.log - RKreport_DEL_06302014_074303.log - RKreport_DEL_07032014_003308.log - RKreport_SCN_06302014_073823.log
RKreport_SCN_06302014_074210.log - RKreport_SCN_07032014_003016.log

4

RogueKiller / RK x64 Report: SYNCENG.dll is rootkit?

« on: June 06, 2014, 08:08:56 AM »

Hi - I ran RogueKiller x64 and it found Antirootkit the .dll referenced in the subject,,,I thought I had deleted it, but it came up again.  I downloaded TDSS Killer after this to see what it found, and it did not find any rootkits.

Please see report and advise what I should do.

Thanks very much.

RogueKiller V9.0.2.0 (x64) [Jun  3 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : D [Admin rights]
Mode : Scan -- Date : 06/06/2014  01:48:48

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 1 ¤¤¤
[EAT:Addr] (explorer.exe) SYNCENG.dll - DoCmd : C:\Windows\System32\framedynos.dll @ 0x7feed1ef5f8

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD501LJ +++++
--- User ---
[MBR] 8f8f368c032163e555f43f59bba7930f
[BSP] ceb84c3e7b096f62a58a22cb4210973b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 467469 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 957377610 | Size: 9467 MB
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR] 88e42e907aec80f2e3f36dffeac43632
[BSP] 096ca65415799301792a33c93b5e78da : Windows XP MBR Code
Partition table:

+++++ PhysicalDrive1: WD My Passport 0748 USB Device +++++
--- User ---
[MBR] 8752273f349251cedf7c6209cdd11aac
[BSP] 804dbf71ce7b1f906f09fbead2fc17a2 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953836 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 09f1580e0e705f4d9330806f0b520171
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 61050 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_06062014_002513.log - RKreport_SCN_06062014_002259.log - RKreport_SCN_06062014_005633.log - RKreport_SCN_06062014_005923.log

5

RogueKiller / rouge killer report advice

« on: May 01, 2014, 05:44:14 AM »

hi, please advise what actions (if any) I should take, thanks!

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Derek [Admin rights]
Mode : Scan -- Date : 04/30/2014 23:38:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SCREENSVR][SUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\windows\Screen_Samsung.scr [-]) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) HGST HTS541010A9E680 +++++
--- User ---
[MBR] ab09653465709269358ca86c4345e29e
[BSP] 7ee15af64f1544c7ab9f5888cf56cf4c : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_04302014_233815.txt >>

Call to undefined function each()