Author Topic: Rootkit section litup green ; Is my system compromised?  (Read 5392 times)

0 Members and 1 Guest are viewing this topic.

August 04, 2015, 06:18:16 AM

x0r

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Rootkit section litup green ; Is my system compromised?
« on: August 04, 2015, 06:18:16 AM »
Thank you for your help with the following report:

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : X0r [Administrator]
Started from : C:\Users\J\Desktop\RogueKillerX64.exe
Mode : Delete -- Date : 08/04/2015 01:09:47

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | DelaypluginInstall : C:\ProgramData\Wondershare\Player\DelayPluginI.exe
  • -> Deleted
[Suspicious.Path] (X64) HKEY_USERS\RK_J_ON_H_EA65\Software\Microsoft\Windows\CurrentVersion\Run | Epic Privacy Browser Installer : "C:\Users\J\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe" /c
  • -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\RK_J_ON_H_EA65\Software\Microsoft\Windows\CurrentVersion\Run | Epic Privacy Browser Installer : "C:\Users\J\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe" /c
  • -> ERROR [2]


¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSA2M040G2GC ATA Device +++++
--- User ---
[MBR] 847d9d7ae4601dda6d44d8f470d1b5e0
[BSP] 1378b03ef016bf555a4efe426a49885a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 37814 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD1002FAEX-00Y9A0 ATA Device +++++
--- User ---
[MBR] 9c3452014a31ba341c4f09e75a9aae2f
[BSP] c43b05377763052285360b456bc4a0bc : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 30720 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 62916608 | Size: 204800 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 482347008 | Size: 102400 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 692062208 | Size: 615947 MB
User = LL1 ... OK
User = LL2 ... OK

regards,

X0r

Reply #1August 04, 2015, 02:31:47 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: Rootkit section litup green ; Is my system compromised?
« Reply #1 on: August 04, 2015, 02:31:47 PM »
Thank you for your help with the following report:

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : X0r [Administrator]
Started from : C:\Users\J\Desktop\RogueKillerX64.exe
Mode : Delete -- Date : 08/04/2015 01:09:47

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | DelaypluginInstall : C:\ProgramData\Wondershare\Player\DelayPluginI.exe
  • -> Deleted
[Suspicious.Path] (X64) HKEY_USERS\RK_J_ON_H_EA65\Software\Microsoft\Windows\CurrentVersion\Run | Epic Privacy Browser Installer : "C:\Users\J\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe" /c
  • -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\RK_J_ON_H_EA65\Software\Microsoft\Windows\CurrentVersion\Run | Epic Privacy Browser Installer : "C:\Users\J\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe" /c
  • -> ERROR [2]


¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSA2M040G2GC ATA Device +++++
--- User ---
[MBR] 847d9d7ae4601dda6d44d8f470d1b5e0
[BSP] 1378b03ef016bf555a4efe426a49885a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 37814 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD1002FAEX-00Y9A0 ATA Device +++++
--- User ---
[MBR] 9c3452014a31ba341c4f09e75a9aae2f
[BSP] c43b05377763052285360b456bc4a0bc : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 30720 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 62916608 | Size: 204800 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 482347008 | Size: 102400 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 692062208 | Size: 615947 MB
User = LL1 ... OK
User = LL2 ... OK

regards,

X0r
Maybe I can't help with the rest of the log, but if the rootkit section is light green, it's safe, if you hoover the mouse over that section it tells "This item is clean, this will only display for information".

Reply #2August 06, 2015, 09:47:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Rootkit section litup green ; Is my system compromised?
« Reply #2 on: August 06, 2015, 09:47:02 PM »
Hi x0r,

Welcome to Adlice.com Forum.

Theses entries are false positives. We will witheliste them as soon as possible.
Additionally, Heantrad is completely right about the Rootkit section.

Regards.