Author Topic: Hi there, May I get assistance with my report? (Read 5065 times)

mcjaydeemn · « **on:** July 14, 2014, 05:54:51 PM »

Hi, my question is the rootkit filter UBHelper. i tried googling them to hopefully not have to get guidance. (I see your a one man army) I think its awesome. you deserve donations for your services! Anyway, Google picked it up as blue screen of death it came with for windows 7? and some other rootkit and a few things contradicted themselves and i dont wanna risk it. but here is my report, and i thank you.

Code: [Select]

RogueKiller V9.2.3.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Jaydee [Admin rights]
Mode : Scan -- Date : 07/14/2014  10:21:33

¤¤¤ Bad processes : 1 ¤¤¤
[Proc.Svchost] svchost.exe -- [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 15 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | DelaypluginInstall : C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe  -> FOUND
[Suspicious.Path] HKEY_USERS\S-1-5-21-553614536-3529320758-1677356502-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #0 : C:\Users\Jaydee\Documents\GoogleChromePortable\App\Chrome-bin\chrome.exe  --user-data-dir="C:\Users\Jaydee\Documents\GoogleChromePortable\Data\profile" --disk-cache-dir="C:\Users\Jaydee\AppData\Local\Temp\GoogleChromePortable" --flag-switches-begin --enable-accelerated-filters --flag-switches-end --restore-last-session  -> FOUND
[PUM.Proxy] HKEY_USERS\S-1-5-21-553614536-3529320758-1677356502-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:8080  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A03F317D-E7BA-4EFC-8608-0F6FE17E7B78} | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A03F317D-E7BA-4EFC-8608-0F6FE17E7B78} | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{A03F317D-E7BA-4EFC-8608-0F6FE17E7B78} | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{A03F317D-E7BA-4EFC-8608-0F6FE17E7B78} | DhcpNameServer : 24.220.0.10 24.220.0.11  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-553614536-3529320758-1677356502-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-553614536-3529320758-1677356502-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 2 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\UBHelper @ \Device\UBHelper0 (\SystemRoot\System32\drivers\dxgkrnl.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\NTIDrvr @ \Device\NTIDrvr1 (\SystemRoot\system32\DRIVERS\parport.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA100 ATA Device +++++
--- User ---
[MBR] 7e1300f86a59cab6a49130cc8003152e
[BSP] 7dccac2e4b1d1b4579508982ed0d15d9 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953766 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Seagate FreeAgent GoFlex USB Device +++++
--- User ---
[MBR] 26872014b3294efb2c205c20310556de
[BSP] e43d5e135bef1a77ac6cd4556b9fd5d4 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_07142014_095952.log

Tigzy · « **Reply #1 on:** July 18, 2014, 03:53:45 PM »

Hello
First, thanks

Then, could you check the files themself (publisher, if signed, etc...)

SystemRoot\System32\drivers\dxgkrnl.sys
SystemRoot\system32\DRIVERS\parport.sys

You can even send them on virus total to double check.

Author Topic: Hi there, May I get assistance with my report? (Read 5065 times)

mcjaydeemn

Hi there, May I get assistance with my report?

Tigzy

Re: Hi there, May I get assistance with my report?