Is this Report/Machine Clean?

[DaKoz]

I have run RogueKiller and need help analyzing this report, please.
Please see attached RK report.

Is this report showing the machine to be clean?

------------------------------------------------------------------

I found an earlier report scan that was run on this machine when it was being symptomatic, if this helps any.  Please let me know if more information is needed. Here is that earlier RK report:

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : ritzadmin [Admin rights]
Mode : Scan -- Date : 02/07/2014 17:24:25
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[70] : NtCreateKey @ 0x82C3E009 -> HOOKED (Unknown @ 0x98D134B4)
[Address] SSDT[74] : NtCreateMutant @ 0x82C4D35A -> HOOKED (Unknown @ 0x98D06A64)
[Address] SSDT[79] : NtCreateProcess @ 0x82D191D1 -> HOOKED (Unknown @ 0x98D13054)
[Address] SSDT[80] : NtCreateProcessEx @ 0x82D1921C -> HOOKED (Unknown @ 0x98D0705C)
[Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x82C3E9D4 -> HOOKED (Unknown @ 0x98D069F4)
[Address] SSDT[87] : NtCreateThread @ 0x82D18FDA -> HOOKED (Unknown @ 0x98D06B94)
[Address] SSDT[88] : NtCreateThreadEx @ 0x82CAD4AB -> HOOKED (Unknown @ 0x98D06B5C)
[Address] SSDT[93] : NtCreateUserProcess @ 0x82CAB3DD -> HOOKED (Unknown @ 0x98C95DCC)
[Address] SSDT[103] : NtDeleteKey @ 0x82C28A58 -> HOOKED (Unknown @ 0x98D13444)
[Address] SSDT[106] : NtDeleteValueKey @ 0x82C1A461 -> HOOKED (Unknown @ 0x98D06C3C)
[Address] SSDT[111] : NtDuplicateObject @ 0x82C6E761 -> HOOKED (Unknown @ 0x98D069BC)
[Address] SSDT[155] : NtLoadDriver @ 0x82C02C40 -> HOOKED (Unknown @ 0x98D06A9C)
[Address] SSDT[190] : NtOpenProcess @ 0x82C4EBA1 -> HOOKED (Unknown @ 0x98CD7D4C)
[Address] SSDT[194] : NtOpenSection @ 0x82CA69FB -> HOOKED (Unknown @ 0x98D06C04)
[Address] SSDT[198] : NtOpenThread @ 0x82C9B102 -> HOOKED (Unknown @ 0x876EC55C)
[Address] SSDT[290] : NtRenameKey @ 0x82CD90EB -> HOOKED (Unknown @ 0x98D1340C)
[Address] SSDT[302] : NtRestoreKey @ 0x82CCECA2 -> HOOKED (Unknown @ 0x98D06CC4)
[Address] SSDT[350] : NtSetSystemInformation @ 0x82C8B37A -> HOOKED (Unknown @ 0x98D06A2C)
[Address] SSDT[358] : NtSetValueKey @ 0x82C47606 -> HOOKED (Unknown @ 0x98D1347C)
[Address] SSDT[370] : NtTerminateProcess @ 0x82C97D9A -> HOOKED (Unknown @ 0x98D13FBC)
[Address] SSDT[371] : NtTerminateThread @ 0x82CB56CB -> HOOKED (Unknown @ 0x98D134EC)
[Address] SSDT[399] : NtWriteVirtualMemory @ 0x82C9CA97 -> HOOKED (Unknown @ 0x98D06BCC)
[Address] Shadow SSDT[584] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8A3DF3FC)
[Address] Shadow SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A3E1E7C)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAJS-75M0A0 +++++
--- User ---
[MBR] b7a1dbd4fbdf4ed8c72f531c2a821c6f
[BSP] bd88243ba1753a8780c06e4eb19307c6 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10018 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 20598784 | Size: 228359 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02072014_172425.txt >>

[Tigzy]

Hello
It does not show any harmful item.
What are the symptoms?

[DaKoz]

     Observed symptoms were that this machine could not finish running a particular script that was written for some automated testing done by the machine and also it was not able to save MS Excel files across a network to a server.  I was concerned about adding it back the network to see if it performed properly now, since I did not understand what this report was telling me.

     Ended up finding several other machines that had similar type symptoms that were apparently causing otherwise unexplainable performance issues (very slow response time) on a middleware interfaced Oracle database application on our network. Once these machines were disabled, this slow response time issue went away.  RK found and was able to delete similar registry entries on these other machines also.

     Why do I still have these items reported under the "driver" portion of RK GUI (and report), whereas on another machine that was never infected, I do not have these "driver"  SSDT entries?
Sorry for my lack of understanding and question. . . Just trying to learn from the experts.
Thanks for your time, patience and assistance.

[Tigzy]

mmh. Looks like a network issue.
Are you able to reproduce those symptoms with a clean machine?

The SSDT entries are probably set by an antivirus product.
Since they point to a shellcode (outside of any module, this is why we have 'Unknown'), we can't conclude if the filtering module is hamrful or not;
By experience, I've seen such hooks put by some security products.

In some next version of RK, I'll probably try to bypass the first hook layer to find what module is really behind the hook.

[DaKoz]

When the “network issues” were occurring, the symptoms were seen by all users of the Oracle database custom middleware application.  Normal MS server/network activity did not seem to be affected.  It was peculiar indeed.  Once these “infected” machines were taken off the network those “network issues” disappeared.  I do not understand what was happening but do attribute it to these machines and their malware all of which had windows into this Oracle application. FYI the Oracle server and its application server were running cleanly with very few resources utilized (according to MS performance manager) when these symptoms were occurring. Anyway, let us not be concerned about those "cleared-up" issues.

We are running Trend Micro AV.  It was all up to date at the time and could not identify this malware issue. 
This machine has been placed back into service and is doing fine.  We appreciate your insight, experience, good work and good product.  I highly recommend RK to all.  We appreciate your ongoing development efforts and plan to donate toward them.
      “DaKoz” of it all!

[Tigzy]

Looks like a "DDoS" because of a specific machine flooding the network, as you said the "infected machine".
That's an advanced issue, I'd suggest to sniff with wireshark to see if some process is really flooding the network

Thanks for your support!