Author Topic: Antirootkit RED WARNINGS (Read 8508 times)

RichardK007 · « **on:** July 20, 2014, 05:27:34 AM »

Hi,
I'm new to RK and this forum, so I'm not sure if this is the place to ask question... sorry if it is not. I've read the tutorial and seen the FAQs page but there is no mention of RED color warnings. I don't know what to do....

I've run RogueKiller and the scan picked up some PUPs which I have deleted.
It also picked up 3 objects in the Antirootkit tab that are highlighted in RED. These appear to be bad. It looks like they are keyloggers. I don't know if they are important to remove - and how to remove them.

Can you help please?

I ran the scan process again, so the PUPs are not in the report now. here's the report

Thanks
Richard

RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Remove -- Date : 07/20/2014 10:56:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: LOADED) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\SynTP @ \Device\0000009b (\SystemRoot\System32\drivers\dxgmms1.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\0000008c (\SystemRoot\System32\drivers\dxgmms1.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\0000008a (\SystemRoot\System32\drivers\dxgmms1.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA MQ01ABD0 SCSI Disk Device +++++
--- User ---
[MBR] 239b791ed077fd1471a55625c40b17dd
[BSP] 9f5a57385805106117475533f18d9e31 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 462765 MB
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 950816768 | Size: 12673 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ATA TOSHIBA MK5075GS SCSI Disk Device +++++
--- User ---
[MBR] b511322079f9d2811392685783f2e20f
[BSP] 726112a5b743585243c98ba617487edd : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_07202014_103048.log - RKreport_DEL_07202014_103918.log - RKreport_SCN_07202014_104914.log

Tigzy · « **Reply #1 on:** July 20, 2014, 02:06:49 PM »

Hello
yes it's red because highly suspicious. Kernel filter attached to keyboard stack and not whitelisted.

Can you tell what is the publisher of dxgmms1.sys ? (in system32/drivers)

RichardK007 · « **Reply #2 on:** July 20, 2014, 05:26:55 PM »

Hi Tigzy
thanks for your help.

it appears that the signer is Microsoft Windows.
File Description: DirectX Graphics MMS
Type: System file
file version: 6.1.7601.18126
Product Name: Microsoft Windows Operating System
Copyright: Microsoft Corporation
Size 258kb
Date Modified: 10/04/2013

the same name file appears in this directory with several versions of the file including (for example)
C:\Windows\winsxs\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.18228_none_09e7b2cffa30f336
and
C:\Windows\winsxs\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.17610_none_09ea9ecbfa2fe788

these have different dates - it looks like version updates.

does this give you any clues?
thanks for your help.

cheers
Richard

Tigzy · « **Reply #3 on:** July 24, 2014, 10:47:56 AM »

Yes, that's legit file and will be whitelisted

No need to do anything

RichardK007 · « **Reply #4 on:** July 24, 2014, 11:19:57 AM »

thanks.
It looked legit, but then if i was a dodgy hacker criminal, I'd probably create a file and sign it as coming from Microsoft.

thanks again

And because you are a nice fella, I've added Adlice.com into the anti-malware section of my new Guide.

Cheers
Richard

Tigzy · « **Reply #5 on:** July 24, 2014, 11:56:48 AM »

Quote

It looked legit, but then if i was a dodgy hacker criminal, I'd probably create a file and sign it as coming from Microsoft.

That's not as easy

Digi certs are provided by trusted authorities, they investigate about you/your company, and you have to prove you are you and not a dodgy criminal.
More, you cannot sign using any company name, that's necessarily YOUR company name. There's no hack to sign with any certificate, unless you can steal one (that happened to Adobe some years ago).

Certificates are useful because if one modifies your binary (example PE infector like Virut/Sality) your cert is no longer valid. So no one can blame you for possible damages.

If you have a certificate and one day you are reported as a malware provider, the authority that gave it to you has all information needed for the FBI to knock at your door

Thanks for adding us

RichardK007 · « **Reply #6 on:** July 25, 2014, 02:40:38 AM »

Thanks Tigzy,

Cheers
Richard

Author Topic: Antirootkit RED WARNINGS (Read 8508 times)

RichardK007

Antirootkit RED WARNINGS

Tigzy

Re: Antirootkit RED WARNINGS

RichardK007

Re: Antirootkit RED WARNINGS

Tigzy

Re: Antirootkit RED WARNINGS

RichardK007

Re: Antirootkit RED WARNINGS

Tigzy

Re: Antirootkit RED WARNINGS

RichardK007

Re: Antirootkit RED WARNINGS