Author Topic: Hi tigzy  (Read 5976 times)

0 Members and 1 Guest are viewing this topic.

August 25, 2014, 02:46:58 PM

kateUlah

  • Guest
Hi tigzy
« on: August 25, 2014, 02:46:58 PM »
Finally i succeed to register it was a full of pain  ;D
So like u adviced me 1 month ago here my roguekiller report, i guess i'm in trouble with these rootkit in my pc :(, can you help me tigzy.
ps: it seems roguekiller cant destroy them.
Cheers.

Quote
RogueKiller V9.2.8.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.surlatoile.org/RogueKiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : kate [Admin rights]
Mode : Scan -- Date : 08/25/2014  13:38:35

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> FOUND
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-32765355-549355606-4284730674-1001\Software\Microsoft\Internet Explorer\Main | Start Page : about:blank  -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-32765355-549355606-4284730674-1001\Software\Microsoft\Internet Explorer\Main | Start Page : about:blank  -> FOUND
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-32765355-549355606-4284730674-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-32765355-549355606-4284730674-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 18 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1

¤¤¤ Antirootkit : 14 (Driver: LOADED) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CREATE[0] : Unknown @ 0x66e12c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x66e12c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x66e12c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x66e12c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_POWER[22] : Unknown @ 0x66e12c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x66e12c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_PNP[27] : Unknown @ 0x66e12c0
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\diskpt @ Unknown (\SystemRoot\system32\DRIVERS\SCSIPORT.SYS)
[Filter(Kernel.Filter)] \Driver\Disk @ Unknown : \Driver\diskpt @ Unknown (\SystemRoot\system32\DRIVERS\SCSIPORT.SYS)
[Filter(Kernel.Filter)] \Driver\Disk @ Unknown : \Driver\diskpt @ Unknown (\SystemRoot\system32\DRIVERS\SCSIPORT.SYS)
[EAT:Addr] (explorer.exe) hcproviders.dll - DllCanUnloadNow : C:\Windows\system32\imapi2.dll @ 0x7fef9cf6edc
[EAT:Addr] (explorer.exe) hcproviders.dll - DllGetClassObject : C:\Windows\system32\imapi2.dll @ 0x7fef9cf2164
[EAT:Addr] (explorer.exe) hcproviders.dll - DllRegisterServer : C:\Windows\system32\imapi2.dll @ 0x7fef9d312e0
[EAT:Addr] (explorer.exe) hcproviders.dll - DllUnregisterServer : C:\Windows\system32\imapi2.dll @ 0x7fef9d3146c

¤¤¤ Web browsers : 3 ¤¤¤
[PUM.Proxy][FIREFX:Config] lisel8os.default-1383688299864 : user_pref("network.proxy.http", "nl3.freedom-ip.com"); -> FOUND
[PUM.Proxy][FIREFX:Config] lisel8os.default-1383688299864 : user_pref("network.proxy.http_port", 3128); -> FOUND
[PUM.HomePage][FIREFX:Config] lisel8os.default-1383688299864 : user_pref("browser.startup.homepage", "https://duckduckgo.com/html/"); -> FOUND

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1600BB-55RDA0 SCSI Disk Device +++++
--- User ---
[MBR] 0d1a9bcad330c3438ff2eaa403a03af8
[BSP] 952b80f766bb1ff8c884b916416b28c8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 152525 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Hitachi HTS545012B9SA00 ATA Device +++++
--- User ---
[MBR] 11ea4804d8b985eb96df99eb4cc4ac17
[BSP] 6af2f3cced5ab3239d7b7140a70261ce : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 114471 MB
User = LL1 ... OK
User = LL2 ... OK

« Last Edit: August 25, 2014, 02:50:24 PM by kateUlah »

Reply #1August 25, 2014, 04:02:05 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Hi tigzy
« Reply #1 on: August 25, 2014, 04:02:05 PM »
It looks all legit, we'll whitelist the rootkit entries.

Reply #2August 25, 2014, 07:03:59 PM

kateUlah

  • Guest
Re: Hi tigzy
« Reply #2 on: August 25, 2014, 07:03:59 PM »
Thank you sir :-*