After scan Antirootkit entrys in red (keylogger)

[brai]

Hi,
When i search Rtlh86.sys on line i find they are part of the Realtec driver. However they are colored red. Is this a false positive?

first scan

RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Amy [Admin rights]
Mode : Remove -- Date : 09/13/2014  09:12:16

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Skytel : Skytel.exe

• -> DELETED

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-21-569472977-528778950-3908599897-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.toshibadirect.com/dpdstart  -> NOT SELECTED

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 3 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\system32\DRIVERS\tdcmdpst.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\00000077 (\SystemRoot\system32\DRIVERS\Rtlh86.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\00000065 (\SystemRoot\system32\DRIVERS\Rtlh86.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2046GSX ATA Device +++++
--- User ---
[MBR] 249bd386a370e46236453f482b340040
[BSP] f11f9112ab015f346a36e3b66884f046 : HP MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 102400 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 212789248 | Size: 86879 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_09132014_083138.log

after delete

RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Amy [Admin rights]
Mode : Scan -- Date : 09/13/2014  09:45:00

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.HomePage] HKEY_USERS\S-1-5-21-569472977-528778950-3908599897-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.toshibadirect.com/dpdstart  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 3 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\system32\DRIVERS\tdcmdpst.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\0000007a (\SystemRoot\system32\DRIVERS\Rtlh86.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\00000068 (\SystemRoot\system32\DRIVERS\Rtlh86.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2046GSX ATA Device +++++
--- User ---
[MBR] 249bd386a370e46236453f482b340040
[BSP] f11f9112ab015f346a36e3b66884f046 : HP MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 102400 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 212789248 | Size: 86879 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_09132014_091216.log - RKreport_SCN_09132014_083138.log - RKreport_SCN_09132014_092242.log

Thanks

[Tigzy]

Looks like it is.
Can you confirm with a scan of them on virus total?

[brai]

VirusTotal shows them both clean. I'm going with false positive. Thanks for the reply.

[Tigzy]

Yes it is, it will be whitelisted in next release.