Author Topic: Please Help With Log Analysis + System Freeze (Read 4980 times)

Huxley · « **on:** October 18, 2014, 04:28:47 PM »

Hey Adlice Forum.

Firstly, sorry if this is the wrong place to post this.

Can someone please analyze this log for me? I'm not sure whether to be worried about these Anti-Rootkit results or not (all orange), since they didn't appear when I scanned with the previous version. Pretty sure all the entries in Registry are all my own modifications, but confirmation on whether or not this is true would be splendid.

Also, I'm not sure whether to be worried about this, but my Roguekiller x64 sometimes freezes my entire system to the point where I need to do a hard reset. It does this when doing the initial processes scan. I think it's one of my svchost processes that causes it (EDIT: Scan just froze again, this time on the firefox.exe process). It doesn't happen during safe mode scans. What would cause this and what should I do about it?

Any help would be greatly appreciated.

Thank you in advance.

RogueKiller V10.0.2.0 (x64) [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : CABAL [Administrator]
Mode : Scan -- Date : 10/19/2014 00:28:44

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 38 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3360283958-4069657338-1727946519-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 33 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_DevNode_Status : C:\Windows\system32\CFGMGR32.dll @ 0x7fefda030c0
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_Device_IDW : C:\Windows\system32\CFGMGR32.dll @ 0x7fefda04034
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x7fefefd0680
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x7fefefc9370
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x7fefeff2e18
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x7fefefe7490
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x7fefefe2a30
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x7fefefeea20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x7fefeffbf00
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x7fefefd3e90
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x7fefefc8284
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x7fefefcd9d0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x7fefefeef20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x7fefefef1ac
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x7fefefe3560
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x7fefefd9980
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - FreePropVariantArray : C:\Windows\system32\ole32.dll @ 0x7feff0e9440
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x7fefefe8e70
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x7fefefe8e20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x7fefefe1314
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd66193c
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd6615e0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd6614e8
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd6615e0
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd66193c
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd6614e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd6615e0
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd6614e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd66193c
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\VERSION.dll @ 0x7fefd661b94
[IAT:Addr] (explorer.exe @ ieframe.DLL) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd6614e8
[IAT:Addr] (explorer.exe @ ieframe.DLL) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd66193c
[IAT:Addr] (explorer.exe @ ieframe.DLL) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd6615e0

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] 810a03ff8a30ec673cb2e5308def83a0
[BSP] f1cccc7e01129e95a8ae4b04184c722a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST9750420AS ATA Device +++++
--- User ---
[MBR] a8e8932db223e29c016af6652506500a
[BSP] 98d3b3aeea6eb93b87e11d95cbaee333 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715402 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_10042014_152023.log - RKreport_SCN_10052014_124935.log - RKreport_SCN_10152014_001950.log

Tigzy · « **Reply #1 on:** October 20, 2014, 11:43:25 AM »

Hello
ARK entries are false positives, already fixed for next release.

For the freeze, is it because of CPU/RAM usage? Could you open task manager to check performances while doing a scan?
No blue screen?

Huxley · « **Reply #2 on:** October 21, 2014, 01:20:14 AM »

Hey and thanks Tigzy.

Just had the freeze happen three times while running RogueKiller, and all happened on the same (I think?) svchost.exe. No bluescreen, just a complete freeze and a repeating sound from whatever program was producing sound at the time.

RAM and CPU usage doesn't increase, and after several tests it appears to only happen when Firefox is running. Odd.

I guess it's not that much of a problem if the scan goes through sometimes, but I want to be sure that the svchost and/or firefox processes "causing" the problem aren't infected or corrupt.

Tigzy · « **Reply #3 on:** October 21, 2014, 08:06:23 AM »

That's weird. Those 2 processes should not have any problem working each together.
I don't have any easy answer right now.

Author Topic: Please Help With Log Analysis + System Freeze (Read 4980 times)

Huxley

Please Help With Log Analysis + System Freeze

Tigzy

Re: Please Help With Log Analysis + System Freeze

Huxley

Re: Please Help With Log Analysis + System Freeze

Tigzy

Re: Please Help With Log Analysis + System Freeze