Author Topic: Account Hacked (Possible Rootkit); need help understanding report  (Read 13406 times)

0 Members and 2 Guests are viewing this topic.

January 13, 2015, 06:45:45 PM

Vediovis

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
So, one of my accounts got hacked. I was paranoid and I started scanning my laptop.
I ran Rogue Killer twice and both showed very different results (rebooted in between).
I am not sure what to make of it, can someone help me with it?

I have attached the logs as they were over 20000 characters and did not fit into this post.

Reply #1January 14, 2015, 11:54:44 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #1 on: January 14, 2015, 11:54:44 PM »
Hi Vediovis,

Welcome to Adlice.com Forum.

The first report was generated with the 32 bits version of RogueKiller, the second by the 64 bits version (the one you should be using).
Anyway, the tool wasn't able to load its driver.
Quote
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤
Were any security programs running in the background when you launched RogueKiller ?

Regards.

Reply #2January 15, 2015, 03:17:15 PM

Vediovis

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #2 on: January 15, 2015, 03:17:15 PM »
Hey Curson,

Thanks for the reply.
I use MalwareBytes' Anti Malware, MalwareBytes' Anti Exploit, and BitDefender.
I am not sure why the driver did not load since I had disabled all three of them.

What do you suggest?

Reply #3January 16, 2015, 03:37:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #3 on: January 16, 2015, 03:37:25 PM »
Hi Vediovis,

Please restart your computer and perform a new scan with Roguekiller.
Could you tell me if the following file is present :
Quote
C:/Windows/System32/Drivers/TrueSight.sys

Regards.

Reply #4January 17, 2015, 09:32:22 PM

Vediovis

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #4 on: January 17, 2015, 09:32:22 PM »
Yes, the file is present but the restart did not help.
Any other suggestions?

Reply #5January 18, 2015, 04:42:41 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #5 on: January 18, 2015, 04:42:41 PM »
Hi Vediovis,

It seems that RogueKiller's driver cannot be initialized for some reasons.
The presence of a rootkit may be causing this behaviour.
  • Please download TDSSKiller and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your next reply.

Regards.

Reply #6January 19, 2015, 03:06:03 PM

Vediovis

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #6 on: January 19, 2015, 03:06:03 PM »
The scan came out clean
I have attached the logs just in-case.

Please tell me how to proceed next?

Reply #7January 19, 2015, 04:31:34 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #7 on: January 19, 2015, 04:31:34 PM »
Hi Vediovis,

According to the last report your computer seems clean.
Howewer, we would like to investigate why RogueKiller's driver was unable to load.

Could you please manually delete the file TrueSight.sys and make a last try with RogueKiller ?

Regards.

Reply #8January 20, 2015, 10:55:42 PM

Vediovis

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #8 on: January 20, 2015, 10:55:42 PM »
Seems like the driver loaded fine this time I have attached the log as there were other errors.

The anti-rootkit section showed some files (link to image) - http://i.imgur.com/E8hxjNX.png

Reply #9January 20, 2015, 11:16:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Account Hacked (Possible Rootkit); need help understanding report
« Reply #9 on: January 20, 2015, 11:16:07 PM »
Hi Vediovis,

Yes, the driver managed to load and the tool reported no infection.
The lines which are highlighted in green in the Rootkit section are legit elements which should not be removed.
Your computer seems clean.

If you have any questions, feel free to ask.
Regards.