Author Topic: Am I infected?  (Read 5318 times)

0 Members and 1 Guest are viewing this topic.

November 10, 2014, 10:09:16 PM

metAphysikZ

  • Guest
Am I infected?
« on: November 10, 2014, 10:09:16 PM »
I have the newest version of this wonderful product, and it is still showing that I'm infected, when last time I posted and asked the same question. I was told that it was a known issue with RogueKiller and I was fine. So am I infected or is this another false positive?
I will copy/paste the report below...
Cheers and thank you so very much in advance!  :)

-Gratefully, metA

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Patrick [Administrator]
Mode : Scan -- Date : 11/10/2014  15:48:26

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8DEF27C7-F5E4-4BFA-B6BD-A718CAAD3C4A} | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8DEF27C7-F5E4-4BFA-B6BD-A718CAAD3C4A} | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8DEF27C7-F5E4-4BFA-B6BD-A718CAAD3C4A} | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)]  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 37 (Driver: Loaded) ¤¤¤
[IAT:Inl] (explorer.exe) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x775c0040 (jmp 0xfffffffffff9e890)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - LdrLoadDll : Unknown @ 0x775a0430 (jmp 0xfffffffffffa8970)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtFreeVirtualMemory : Unknown @ 0x775c0028 (jmp 0xfffffffffff9eb98)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtAllocateVirtualMemory : Unknown @ 0x775c0010 (jmp 0xfffffffffff9ebe0)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtSetSecurityObject : Unknown @ 0x775a0501 (jmp 0xfffffffffff7db91)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtAllocateVirtualMemory : Unknown @ 0x775c0010 (jmp 0xfffffffffff9ebe0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x775c0040 (jmp 0xfffffffffff9e890)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtFreeVirtualMemory : Unknown @ 0x775c0028 (jmp 0xfffffffffff9eb98)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - LdrLoadDll : Unknown @ 0x775a0430 (jmp 0xfffffffffffa8970)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSetSecurityObject : Unknown @ 0x775a0501 (jmp 0xfffffffffff7db91)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - LdrLoadDll : Unknown @ 0x775a0430 (jmp 0xfffffffffffa8970)
[IAT:Inl] (explorer.exe @ USER32.dll) ntdll.dll - NtSetSecurityObject : Unknown @ 0x775a0501 (jmp 0xfffffffffff7db91)
[IAT:Inl] (explorer.exe @ SHELL32.dll) ntdll.dll - NtSetSecurityObject : Unknown @ 0x775a0501 (jmp 0xfffffffffff7db91)
[IAT:Inl] (explorer.exe @ SHELL32.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ ole32.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ ole32.dll) RPCRT4.dll - NdrStubCall2 : Unknown @ 0x7fefdee00d1 (jmp 0xfffffffffee1b691)
[IAT:Inl] (explorer.exe @ ole32.dll) RPCRT4.dll - NdrServerInitialize : Unknown @ 0x7fefdee0000 (jmp 0xfffffffffee0deb0)
[IAT:Inl] (explorer.exe @ OLEAUT32.dll) RPCRT4.dll - NdrStubCall2 : Unknown @ 0x7fefdee00d1 (jmp 0xfffffffffee1b691)
[IAT:Inl] (explorer.exe @ EXPLORERFRAME.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ UxTheme.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ SSPICLI.DLL) ntdll.dll - NtFreeVirtualMemory : Unknown @ 0x775c0028 (jmp 0xfffffffffff9eb98)
[IAT:Inl] (explorer.exe @ comctl32.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ WindowsCodecs.dll) RPCRT4.dll - NdrStubCall2 : Unknown @ 0x7fefdee00d1 (jmp 0xfffffffffee1b691)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - LdrLoadDll : Unknown @ 0x775a0430 (jmp 0xfffffffffffa8970)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtProtectVirtualMemory : Unknown @ 0x775c0040 (jmp 0xfffffffffff9e890)
[IAT:Inl] (explorer.exe @ saHook.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtSetSecurityObject : Unknown @ 0x775a0501 (jmp 0xfffffffffff7db91)
[IAT:Inl] (explorer.exe @ tiptsf.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ lgscroll.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ GameHook.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ werconcpl.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ ieframe.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ StructuredQuery.dll) RPCRT4.dll - NdrStubCall2 : Unknown @ 0x7fefdee00d1 (jmp 0xfffffffffee1b691)
[IAT:Inl] (explorer.exe @ oleacc.dll) USER32.dll - SetWindowsHookExW : Unknown @ 0x775a06a3 (jmp 0x77220e2f)
[IAT:Inl] (explorer.exe @ shrcore.dll) RPCRT4.dll - NdrStubCall2 : Unknown @ 0x7fefdee00d1 (jmp 0xfffffffffee1b691)
[IAT:Inl] (explorer.exe @ shredshm.dll) RPCRT4.dll - NdrStubCall2 : Unknown @ 0x7fefdee00d1 (jmp 0xfffffffffee1b691)

¤¤¤ Web browsers : 3 ¤¤¤
[PUM.Proxy][FIREFX:Config] sspfwjn0.default-1412283438519 : user_pref("network.proxy.http", "97.85.244.57"); -> Found
[PUM.Proxy][FIREFX:Config] sspfwjn0.default-1412283438519 : user_pref("network.proxy.http_port", 9064); -> Found
[PUM.HomePage][FIREFX:Config] sspfwjn0.default-1412283438519 : user_pref("browser.startup.homepage", "google.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9750420AS +++++
--- User ---
[MBR] aefbcd6b5884ee623176de371dd35af6
[BSP] 7578a1bab6f3a69708518e719183ce8b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 701401 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1436676885 | Size: 13902 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_09032014_141024.log - RKreport_DEL_10022014_164955.log - RKreport_DEL_10032014_115808.log - RKreport_DEL_10172014_104733.log
RKreport_SCN_09032014_140900.log - RKreport_SCN_09052014_192804.log - RKreport_SCN_09052014_201057.log - RKreport_SCN_09062014_063227.log
RKreport_SCN_09092014_073859.log - RKreport_SCN_09102014_191003.log - RKreport_SCN_09132014_231141.log - RKreport_SCN_09192014_133222.log
RKreport_SCN_09192014_135028.log - RKreport_SCN_09192014_140331.log - RKreport_SCN_09192014_142010.log - RKreport_SCN_09232014_230433.log
RKreport_SCN_10012014_133726.log - RKreport_SCN_10022014_164848.log - RKreport_SCN_10032014_115713.log - RKreport_SCN_10082014_102756.log
RKreport_SCN_10172014_014606.log - RKreport_SCN_10172014_121751.log - RKreport_SCN_11072014_183130.log

Reply #1November 11, 2014, 09:38:25 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Am I infected?
« Reply #1 on: November 11, 2014, 09:38:25 AM »
Hello
It's not false positive, it's just we can't conclude because module is not found. It's probably a shellcode jumping elsewhere.
Unless we are able to reproduce one day, that'll be hard to tell.

Reply #2November 18, 2014, 12:37:14 AM

metAphysikZ

  • Guest
Re: Am I infected?
« Reply #2 on: November 18, 2014, 12:37:14 AM »
Should I delete everything that is showing up in orange?  ???

Reply #3November 18, 2014, 09:12:12 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Am I infected?
« Reply #3 on: November 18, 2014, 09:12:12 AM »
If it's in the driver tab, you can't.
In the registry/web browsers, it depends if you set that configuration or not;