Author Topic: Need help experts!  (Read 6430 times)

0 Members and 1 Guest are viewing this topic.

October 09, 2014, 12:44:27 AM

Nick_Mukola

  • Guest
Need help experts!
« on: October 09, 2014, 12:44:27 AM »
Hi guys!
Please tell me what to do with this?!
Everything that could have removed with the help of your program, and the left is ...
It was what that two processes:
=====================
¤¤¤ Processes : 2 ¤¤¤
[Proc.Hidden]  --
  • -> Killed [TermThr]
[Proc.Hidden]  --
  • -> Killed [TermThr]

=====================

and a program RogueKiller remove them)))

You're here is, tell me what to do with it:
=====================
¤¤¤ Antirootkit : 8 (Driver: Loaded) ¤¤¤
[Filter()] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\Drivers\crashdmp.sys)
[EAT:Addr] (explorer.exe) ieproxy.dll - DllCanUnloadNow : C:\Windows\system32\UIRibbon.dll @ 0x69124b75
[EAT:Addr] (explorer.exe) ieproxy.dll - DllGetClassObject : C:\Windows\system32\UIRibbon.dll @ 0x690c99e6
[EAT:Addr] (explorer.exe) ieproxy.dll - DllMain : C:\Windows\system32\UIRibbon.dll @ 0x69021276
[EAT:Addr] (explorer.exe) rtutils.dll - DllCanUnloadNow : C:\Windows\system32\prnfldr.dll @ 0x71f210a9
[EAT:Addr] (explorer.exe) rtutils.dll - DllGetClassObject : C:\Windows\system32\prnfldr.dll @ 0x71f2234c
[EAT:Addr] (explorer.exe) rtutils.dll - DllRegisterServer : C:\Windows\system32\prnfldr.dll @ 0x71f4ab95
[EAT:Addr] (explorer.exe) rtutils.dll - DllUnregisterServer : C:\Windows\system32\prnfldr.dll @ 0x71f4ab95

=====================

And still confuse me these lines:

===============
User = LL1 ... OK
Error reading LL2 MBR! ([1] ???????? ???????.)
===============
Be in charge of some sort of a new infection, have tried a bunch of anti-virus and nothing helps (soon to become an expert yourself), and your program different from the others though that I saw!
Thanks in advance for your help!
« Last Edit: October 09, 2014, 12:47:54 AM by Nick_Mukola »

Reply #1October 09, 2014, 07:36:06 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need help experts!
« Reply #1 on: October 09, 2014, 07:36:06 AM »
Hello
The hidden process issue is known, we're working on it.

The driver section has several false positives that we'll fix for the next release.

Reply #2October 09, 2014, 03:03:55 PM

Nick_Mukola

  • Guest
Re: Need help experts!
« Reply #2 on: October 09, 2014, 03:03:55 PM »
Hello Tigzy!
That is, you want to say that everything is fine and that false positives in your program ?!
Well we will wait for your new release of the program)))

Reply #3October 09, 2014, 03:27:58 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need help experts!
« Reply #3 on: October 09, 2014, 03:27:58 PM »
Yes, exactly. Tthat hidden process detection will be more verbose in the next release, and tell what process it is.
That'll maybe help to understand why they are detected.

Nothing else to do for you.

Reply #4November 25, 2014, 02:36:08 PM

Nick_Mukola

  • Guest
Re: Need help experts!
« Reply #4 on: November 25, 2014, 02:36:08 PM »
Yes, exactly. Tthat hidden process detection will be more verbose in the next release, and tell what process it is.
That'll maybe help to understand why they are detected.

Nothing else to do for you.

What is your program sees nothing else, a feeling that your program is beginning to miss this unknown mysterious process ... = (
After checking your program throws me here on this page
http://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/
And what do I do next ?! I just do not know much what to do next ...

By the way forgot to tell you, this mysterious process sees the program Kerish Doctor 2014

When I boot from disk "Windows 8" and run the program AVZ it shows such strangeness as in the screenshot, As you can see again pops up this strange address "SystemRoot \ System32 \ drivers \ cdrom.sys"
« Last Edit: November 25, 2014, 02:48:06 PM by Nick_Mukola »

Reply #5November 25, 2014, 02:50:35 PM

Nick_Mukola

  • Guest
Re: Need help experts!
« Reply #5 on: November 25, 2014, 02:50:35 PM »
More no other programs do not respond to this mysterious process at startup, only your program sees it and Kerish Doctor 2014

Just finished checking your program and again there are these lines are not clear ...
¤¤¤ Antirootkit : 66 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\drivers\fwpkclnt.sys)
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcAsyncCompleteCall : C:\Windows\system32\WINSPOOL.DRV @ 0x743fd8a8
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingSetAuthInfoExW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1f6
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingSetObject : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb67
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcStringBindingComposeW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1ef
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingFromStringBindingW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1e8
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingSetOption : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb49
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcBindingFree : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa20b
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcStringFreeW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa1fd
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - I_RpcExceptionFilter : C:\Windows\system32\WINSPOOL.DRV @ 0x744081f9
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - NdrAsyncClientCall : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb5d
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - NdrClientCall2 : C:\Windows\system32\WINSPOOL.DRV @ 0x743fa204
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcSmDestroyClientContext : C:\Windows\system32\WINSPOOL.DRV @ 0x74408225
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcAsyncInitializeHandle : C:\Windows\system32\WINSPOOL.DRV @ 0x743fdb53
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcMgmtIsServerListening : C:\Windows\system32\WINSPOOL.DRV @ 0x74408203
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcRaiseException : C:\Windows\system32\WINSPOOL.DRV @ 0x744081ef
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcAsyncCancelCall : C:\Windows\system32\WINSPOOL.DRV @ 0x744081e5
[IAT:Addr] (explorer.exe @ VERSION.dll) RPCRT4.dll - RpcEpResolveBinding : C:\Windows\system32\WINSPOOL.DRV @ 0x7440849a
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\WINSPOOL.DRV @ 0x744082fa
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\WINSPOOL.DRV @ 0x744082e6
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\WINSPOOL.DRV @ 0x7440834c
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\WINSPOOL.DRV @ 0x74408342
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoUninitialize : C:\Windows\system32\WINSPOOL.DRV @ 0x744082f0
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-core-com-l1-1-0.dll - CoGetApartmentType : C:\Windows\system32\WINSPOOL.DRV @ 0x7440820d
[IAT:Addr] (explorer.exe @ VERSION.dll) DSROLE.dll - DsRoleFreeMemory : C:\Windows\system32\WINSPOOL.DRV @ 0x74408247
[IAT:Addr] (explorer.exe @ VERSION.dll) DSROLE.dll - DsRoleGetPrimaryDomainInformation : C:\Windows\system32\WINSPOOL.DRV @ 0x7440822f
[IAT:Addr] (explorer.exe @ VERSION.dll) netutils.dll - NetApiBufferFree : C:\Windows\system32\WINSPOOL.DRV @ 0x7440824e
[IAT:Addr] (explorer.exe @ VERSION.dll) logoncli.dll - DsGetDcNameW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408266
[IAT:Addr] (explorer.exe @ VERSION.dll) DNSAPI.dll - DnsNameCompare_W : C:\Windows\system32\WINSPOOL.DRV @ 0x7440829d
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l1-1-0.dll - CloseServiceHandle : C:\Windows\system32\WINSPOOL.DRV @ 0x7440833b
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l1-1-0.dll - OpenSCManagerW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408304
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l1-1-0.dll - OpenServiceW : C:\Windows\system32\WINSPOOL.DRV @ 0x7440831c
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-service-management-l2-1-0.dll - QueryServiceConfigW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408323
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-security-sddl-l1-1-0.dll - ConvertSidToStringSidW : C:\Windows\system32\WINSPOOL.DRV @ 0x743fc73d
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetForegroundWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x744083e2
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetDesktopWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440845a
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetWindowLongW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408450
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetWindowLongW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408446
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - EndDialog : C:\Windows\system32\WINSPOOL.DRV @ 0x7440843c
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SendDlgItemMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408432
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetWindowPos : C:\Windows\system32\WINSPOOL.DRV @ 0x74408428
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetActiveWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440841e
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - MessageBoxW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408414
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SendNotifyMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408356
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - DispatchMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408360
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440836a
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - EnableWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x74408374
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - AllowSetForegroundWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x7440837e
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - IsWindow : C:\Windows\system32\WINSPOOL.DRV @ 0x74408388
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - MsgWaitForMultipleObjectsEx : C:\Windows\system32\WINSPOOL.DRV @ 0x74408392
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - PeekMessageW : C:\Windows\system32\WINSPOOL.DRV @ 0x7440839c
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetGUIThreadInfo : C:\Windows\system32\WINSPOOL.DRV @ 0x744083a6
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - TranslateMessage : C:\Windows\system32\WINSPOOL.DRV @ 0x744083b0
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - SetFocus : C:\Windows\system32\WINSPOOL.DRV @ 0x744083ba
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetParent : C:\Windows\system32\WINSPOOL.DRV @ 0x744083c4
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - DialogBoxParamW : C:\Windows\system32\WINSPOOL.DRV @ 0x744083ce
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetFocus : C:\Windows\system32\WINSPOOL.DRV @ 0x744083d8
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetDlgItemTextW : C:\Windows\system32\WINSPOOL.DRV @ 0x7440840a
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - IsImmersiveProcess : C:\Windows\system32\WINSPOOL.DRV @ 0x743ffd7e
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - GetLastActivePopup : C:\Windows\system32\WINSPOOL.DRV @ 0x744083ec
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - MsgWaitForMultipleObjects : C:\Windows\system32\WINSPOOL.DRV @ 0x744083f6
[IAT:Addr] (explorer.exe @ VERSION.dll) USER32.dll - PostQuitMessage : C:\Windows\system32\WINSPOOL.DRV @ 0x74408400
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - GetDeviceCaps : C:\Windows\system32\WINSPOOL.DRV @ 0x7440846e
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - CreateDCW : C:\Windows\system32\WINSPOOL.DRV @ 0x74408464
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - GdiIsUMPDSandboxingEnabled : C:\Windows\system32\WINSPOOL.DRV @ 0x743fc6b8
[IAT:Addr] (explorer.exe @ VERSION.dll) GDI32.dll - DeleteDC : C:\Windows\system32\WINSPOOL.DRV @ 0x74408478
« Last Edit: November 25, 2014, 03:31:20 PM by Nick_Mukola »