Author Topic: ===> False Positives <===  (Read 184936 times)

0 Members and 2 Guests are viewing this topic.

Reply #60March 12, 2015, 04:35:08 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #60 on: March 12, 2015, 04:35:08 pm »
Hi mist63,

Thanks for bringing this up.
This entry will be whitelisted in the next version of RogueKiller.

Regards.

Reply #61March 13, 2015, 07:12:05 pm

signal.vol@gmail.com

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #61 on: March 13, 2015, 07:12:05 pm »

[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[17] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451109c
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511c66
[SSDT:Addr(Hook.SSDT)] NtClose[25] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514b6a
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45133f6
[SSDT:Addr(Hook.SSDT)] unknown[37] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451293a
[SSDT:Addr(Hook.SSDT)] NtCreateKey[41] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513aee
[SSDT:Addr(Hook.SSDT)] NtCreateProcess[47] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511ebc
[SSDT:Addr(Hook.SSDT)] NtCreateProcessEx[48] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511f72
[SSDT:Addr(Hook.SSDT)] NtCreateSection[50] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451225c
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510a0c
[SSDT:Addr(Hook.SSDT)] NtDeviceIoControlFile[66] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513c5e
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45180f8
[SSDT:Addr(Hook.SSDT)] NtFsControlFile[84] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513f16
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511572
[SSDT:Addr(Hook.SSDT)] NtMakeTemporaryObject[105] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514912
[SSDT:Addr(Hook.SSDT)] NtOpenFile[116] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451272c
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517b50
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451202c
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517e00
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[137] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510f20
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511d8e
[SSDT:Addr(Hook.SSDT)] NtReplaceKey[193] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514760
[SSDT:Addr(Hook.SSDT)] NtRequestPort[199] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513564
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[200] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4512ef8
[SSDT:Addr(Hook.SSDT)] NtRestoreKey[204] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45147ea
[SSDT:Addr(Hook.SSDT)] NtSecureConnectPort[210] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451397e
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510b7c
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[237] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45146ba
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451176c
[SSDT:Addr(Hook.SSDT)] NtShutdownSystem[249] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451487c
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510df8
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510cd2
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[255] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511b98
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[257] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517a48
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45182ea
[SSDT:Addr(Hook.SSDT)] NtUnloadDriver[262] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45149a8
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510890
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510478
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallNoParam[322] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510680
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallOneParam[323] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45105d2
[ShwSSDT:Addr(Hook.Shadow)] NtUserDdeSetQualityOfService[347] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45103de
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451037a
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451020c
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45101a8
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450feb2
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : C:\Program Files\Bitdefender\Antivirus Free

The following should not be considered as suspicious as they are marked as part of Bitdefender Antivirus. However, it probably should be verified by Bitdefender.

Edition\bdselfpr.sys @ 0xb450fcb8
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450fd38
[ShwSSDT:Addr(Hook.Shadow)] NtUserRegisterRawInputDevices[491] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450ff3a
[ShwSSDT:Addr(Hook.Shadow)] NtUserSendInput[502] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450fc66
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450f2b8
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450f746

Reply #62March 14, 2015, 05:19:15 am

ryderjj89

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #62 on: March 14, 2015, 05:19:15 am »
I dont know if you support Windows XP but here's another for ya with LogMeIn Rescue.

[Suspicious.Path] lmi_rescue.exe(4232) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(4360) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(4580) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermThr]
[Suspicious.Path] lmi_rescue.exe(4820) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe[7] -> Killed [TermProc]

Reply #63March 16, 2015, 11:05:00 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #63 on: March 16, 2015, 11:05:00 am »
Hi signal.vol,

Welcome to Adlice.com Forum!

Thanks for your contribution.
BitDefender's driver will be whitelisted in the next version of RogueKiller.

Regards.

Reply #64March 16, 2015, 11:13:55 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #64 on: March 16, 2015, 11:13:55 am »
Hi ryderjj89,

Quote from: ryderjj89
I dont know if you support Windows XP but here's another for ya with LogMeIn Rescue.

Windows XP is still fully supported and theses processes should be whitelisted in RogueKiller current version.
Which version did you run ?

Regards.

Reply #65March 19, 2015, 01:49:51 am

roushi

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #65 on: March 19, 2015, 01:49:51 am »
hello,
recently I use RK and found that my cloud security program, tresorit (tresorit.exe) is suspected malicious program. I download it from their offcial website (https://tresorit.com/). For security concern, I have uninstalled tresorit. But I still want to know whether false positive or rogue application. thanks  ;D

Reply #66March 19, 2015, 08:30:06 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #66 on: March 19, 2015, 08:30:06 am »
Hi roushi,

This is likely a false positive.
Could you please post the full path of the detected process ?

Regards.

Reply #67March 19, 2015, 05:33:45 pm

roushi

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #67 on: March 19, 2015, 05:33:45 pm »
sorry curson, I uninstalled it as soon as detected by RK and I forgot to record full path of the detected process.  :(

Reply #68March 19, 2015, 10:32:09 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #68 on: March 19, 2015, 10:32:09 pm »
Hi roushi,

That's no big deal.
I think I managed to discover the location of the executable by myself.

Regards.

Reply #69March 24, 2015, 04:25:18 pm

roushi

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #69 on: March 24, 2015, 04:25:18 pm »
Hi curson,
I scan with newer version of rogue killer

however, i got warning about userland rootkit, IAT hook

here is my log:
RogueKiller V10.5.7.0 (x64) [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : fajar [Administrator]
Started from : F:\New folder\Softwares\RogueKillerX64.exe
Mode : Scan -- Date : 03/24/2015  22:14:42

Processes : 1
[Suspicious.Path] (SVC) SLEE_18_DRIVER -- \??\C:\WINDOWS\Sleen1864.sys[7] -> Stopped

Registry : 13
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Partizan (system32\drivers\Partizan.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SLEE_18_DRIVER (\??\C:\WINDOWS\Sleen1864.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLEE_18_DRIVER (\??\C:\WINDOWS\Sleen1864.sys) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8EF8906D-A45A-4663-8558-C4D00C3B3B13} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8EF8906D-A45A-4663-8558-C4D00C3B3B13} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 61 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53f40 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 35d34ea0725b15bfc5585d344d1a1ee4
[BSP] 9bc2edaef5de5c63af0852ed1c97e416 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381096 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 782796800 | Size: 450 MB
5 - Basic data partition | Offset (sectors): 783718400 | Size: 150704 MB
6 - Basic data partition | Offset (sectors): 1092360192 | Size: 399999 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_03182015_223955.log - RKreport_SCN_03092015_115351.log - RKreport_SCN_03102015_143536.log - RKreport_SCN_03182015_213128.log
RKreport_SCN_03182015_223747.log

I use bitdefender, malwarebytes anti malware and anti exploit, zemana anti logger.

can you give clues whether false positive or rootkit?

thanks a lot

Reply #70March 25, 2015, 08:11:31 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #70 on: March 25, 2015, 08:11:31 pm »
Hi roushi,

They are probably false positives.
Could you please give me the full path and name of the following dll ?
Quote
C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL

Regards.

Reply #71March 26, 2015, 10:13:51 am

roushi

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #71 on: March 26, 2015, 10:13:51 am »
Hi curson,
I don't know how to find full path. I'm not advanced user. However, I search and found that this .dll file belongs to zemana anti logger (I use anti keylogger)
and located in :
C:\Program Files (x86)\KeyCryptSDK
thanks

Reply #72March 26, 2015, 02:24:11 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #72 on: March 26, 2015, 02:24:11 pm »
Hi roushi,

Thanks for the information.
At first sight, it will be enough to whitelist the dll.

Regards.

Reply #73May 25, 2015, 05:34:47 pm

laclac

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #73 on: May 25, 2015, 05:34:47 pm »
Hi,

Thank you very much for this very good tool.
I think my computer is safe but when I scanned with RogueKiller I had 720 suspects elements.
I think it's false positives with the applis:
- SandBoxie (95% of the alert)
- GData (antivirus)
- Free download Manager (Lite Edition)
- OneDrive (on the Register)
- SyncCenter (??? by defaut in windows I think but not sure (scan ok by virusTotal)

I attached the report

Thank you

Reply #74May 25, 2015, 06:32:15 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2445
  • Reputation:
    84
    • View Profile
Re: ===> False Positives <===
« Reply #74 on: May 25, 2015, 06:32:15 pm »
Hi laclac,

Theses detections are indeed false positives and will be fixed as soon as possible.
Thanks for bringing this to your attention.

Regards.