Author Topic: Weird antirootkit entry  (Read 5651 times)

0 Members and 1 Guest are viewing this topic.

May 29, 2015, 06:09:24 PM

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Weird antirootkit entry
« on: May 29, 2015, 06:09:24 PM »
¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - memcpy : Unknown @ 0x1f20009 (call 0x5|jmp 0x34|jmp 0xffffff6e)

Is this malware?

Reply #1May 30, 2015, 12:33:09 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Weird antirootkit entry
« Reply #1 on: May 30, 2015, 12:33:09 AM »
Hi nitrousable,

Please copy/paste the full report in your next reply.

Regards.

Reply #2May 30, 2015, 01:38:52 AM

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: Weird antirootkit entry
« Reply #2 on: May 30, 2015, 01:38:52 AM »
RogueKiller V10.7.0.0 (x64) [May 25 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Alex [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 05/29/2015  18:02:46

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] MP3SkypeRecorder.exe(9156) -- C:\Users\Alex\AppData\Local\MP3 Skype recorder\MP3SkypeRecorder.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 5 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3399570657-819039515-4050530942-1001\Software\Microsoft\Windows\CurrentVersion\Run | MP3 Skype recorder : C:\Users\Alex\AppData\Local\MP3 Skype recorder\MP3SkypeRecorder.exe [7] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3399570657-819039515-4050530942-1001\Software\Microsoft\Windows\CurrentVersion\Run | MP3 Skype recorder : C:\Users\Alex\AppData\Local\MP3 Skype recorder\MP3SkypeRecorder.exe [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GalaxyCommunication ("C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe") -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GalaxyCommunication ("C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe") -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GalaxyCommunication ("C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe") -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - memcpy : Unknown @ 0x1f20009 (call 0x5|jmp 0x34|jmp 0xffffff6e)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SI +++++
--- User ---
[MBR] 37345cd71e41256344dce83f23e3d943
[BSP] d2c032d2125283caa119df8964ce8bd7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 923516 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1892079616 | Size: 350 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1892796416 | Size: 29651 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD2002FAEX-007BA0 +++++
--- User ---
[MBR] 1e5e6ffb562d75a94caff1a57a5f48ca
[BSP] 56eea2c0bc00d01469255301e21a3c32 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1857727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3804626944 | Size: 49999 MB [Error reading VBR! ([83] An attempt was made to move the file pointer before the beginning of the file. )]
User != LL1 ... KO!
--- LL1 ---
[MBR] 1e5e6ffb562d75a94caff1a57a5f48ca
[BSP] 56eea2c0bc00d01469255301e21a3c32 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1857727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3804626944 | Size: 49999 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User != LL2 ... KO!
--- LL2 ---
[MBR] 1e5e6ffb562d75a94caff1a57a5f48ca
[BSP] 56eea2c0bc00d01469255301e21a3c32 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1857727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3804626944 | Size: 49999 MB[Invalid]

Reply #3June 03, 2015, 12:15:52 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Weird antirootkit entry
« Reply #3 on: June 03, 2015, 12:15:52 PM »
Hi nitrousable,

Your computer is clean.
This hook is perfectly legit.

Regards.