Author Topic: Antirootkit RED WARNINGS  (Read 9068 times)

0 Members and 1 Guest are viewing this topic.

July 20, 2014, 05:27:34 AM

RichardK007

  • Guest
Antirootkit RED WARNINGS
« on: July 20, 2014, 05:27:34 AM »
Hi,
I'm new to RK and this forum, so I'm not sure if this is the place to ask question...  sorry if it is not. I've read the tutorial and seen the FAQs page but there is no mention of RED color warnings.  I don't know what to do....

I've run RogueKiller and the scan picked up some PUPs which I have deleted.
It also picked up 3 objects in the Antirootkit tab that are  highlighted in RED.  These appear to be bad.   It looks like they are keyloggers.   I don't know if they are important to remove - and how to remove them.

Can you help please?

I ran the scan process again, so the PUPs are not in the report now. here's the report

Thanks
Richard

RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Remove -- Date : 07/20/2014  10:56:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: LOADED) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\SynTP @ \Device\0000009b (\SystemRoot\System32\drivers\dxgmms1.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\0000008c (\SystemRoot\System32\drivers\dxgmms1.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\0000008a (\SystemRoot\System32\drivers\dxgmms1.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA MQ01ABD0 SCSI Disk Device +++++
--- User ---
[MBR] 239b791ed077fd1471a55625c40b17dd
[BSP] 9f5a57385805106117475533f18d9e31 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 462765 MB
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 950816768 | Size: 12673 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ATA TOSHIBA MK5075GS SCSI Disk Device +++++
--- User ---
[MBR] b511322079f9d2811392685783f2e20f
[BSP] 726112a5b743585243c98ba617487edd : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_07202014_103048.log - RKreport_DEL_07202014_103918.log - RKreport_SCN_07202014_104914.log



Reply #1July 20, 2014, 02:06:49 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Antirootkit RED WARNINGS
« Reply #1 on: July 20, 2014, 02:06:49 PM »
Hello
yes it's red because highly suspicious. Kernel filter attached to keyboard stack and not whitelisted.

Can you tell what is the publisher of dxgmms1.sys ? (in system32/drivers)

Reply #2July 20, 2014, 05:26:55 PM

RichardK007

  • Guest
Re: Antirootkit RED WARNINGS
« Reply #2 on: July 20, 2014, 05:26:55 PM »
Hi Tigzy
thanks for your help. 

it appears that the signer is Microsoft Windows.
File Description: DirectX Graphics MMS
Type: System file
file version:  6.1.7601.18126
Product Name: Microsoft Windows Operating System
Copyright: Microsoft Corporation
Size 258kb
Date Modified: 10/04/2013



the same name file appears in this directory with several versions of the file including (for example)
C:\Windows\winsxs\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.18228_none_09e7b2cffa30f336
and
C:\Windows\winsxs\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.17610_none_09ea9ecbfa2fe788

these have different dates - it looks like version updates.


does this give you any clues?
thanks for your help.

cheers
Richard

Reply #3July 24, 2014, 10:47:56 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Antirootkit RED WARNINGS
« Reply #3 on: July 24, 2014, 10:47:56 AM »
Yes, that's legit file and will be whitelisted :)
No need to do anything

Reply #4July 24, 2014, 11:19:57 AM

RichardK007

  • Guest
Re: Antirootkit RED WARNINGS
« Reply #4 on: July 24, 2014, 11:19:57 AM »
thanks.
It looked legit, but then if i was a dodgy hacker criminal, I'd probably create a file and sign it as coming from Microsoft.

thanks again

And because you are a nice fella, I've added Adlice.com into the anti-malware section of my new Guide.

Cheers
Richard
« Last Edit: July 25, 2014, 02:40:08 AM by RichardK007 »

Reply #5July 24, 2014, 11:56:48 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Antirootkit RED WARNINGS
« Reply #5 on: July 24, 2014, 11:56:48 AM »
Quote
It looked legit, but then if i was a dodgy hacker criminal, I'd probably create a file and sign it as coming from Microsoft.

That's not as easy :)
Digi certs are provided by trusted authorities, they investigate about you/your company, and you have to prove you are you and not a dodgy criminal.
More, you cannot sign using any company name, that's necessarily YOUR company name. There's no hack to sign with any certificate, unless you can steal one (that happened to Adobe some years ago).

Certificates are useful because if one modifies your binary (example PE infector like Virut/Sality) your cert is no longer valid. So no one can blame you for possible damages.

If you have a certificate and one day you are reported as a malware provider, the authority that gave it to you has all information needed for the FBI to knock at your door :)

Thanks for adding us :)
« Last Edit: July 24, 2014, 12:04:41 PM by Tigzy »

Reply #6July 25, 2014, 02:40:38 AM

RichardK007

  • Guest
Re: Antirootkit RED WARNINGS
« Reply #6 on: July 25, 2014, 02:40:38 AM »
Thanks Tigzy,

Cheers
Richard