Author Topic: Assistance Interpreting Hook SSDTs in Antirootkit tab...  (Read 11652 times)

0 Members and 1 Guest are viewing this topic.

November 19, 2014, 08:05:18 PM

RC@RKforum

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Assistance Interpreting Hook SSDTs in Antirootkit tab...
« on: November 19, 2014, 08:05:18 PM »

I needed quick help interpreting entries in Antirootkit section of RK marked as Hook.SSDTs, Hook.Shadows, Hook.IEATs, and "Unknown".  They were all marked Orange, with no Red entries listed in any tabs, but though I've researched I've not been able to discern whether these, or 8 orange items in Registry tab are dangerous and need to be deleted. Other tabs came back Okay...

I've reviewed tutorial and Official documentation pgs and former seems to indicate that some of these items are malware.

Scan was run on older XP system I've been cleaning up and preparing to migrate to new PC/OS.


The Scan Report is below.  Any help would be greatly appreciated!




RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Robert C [Administrator]
Mode : Scan -- Date : 11/19/2014  11:18:12

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 36 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA} -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\A2DDA (\??\C:\DOCUME~1\Carlos\LOCALS~1\Temp\A2ONLINESCAN\a2ddax86.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\JYOIXWWQWAPKZB (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\JYOIXWWQWAPKZB.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ODABSUGBZSJ (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ODABSUGBZSJ.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\R (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\R.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ZUZKIH (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ZUZKIH.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A2DDA (\??\C:\DOCUME~1\Carlos\LOCALS~1\Temp\A2ONLINESCAN\a2ddax86.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\JYOIXWWQWAPKZB (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\JYOIXWWQWAPKZB.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ODABSUGBZSJ (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ODABSUGBZSJ.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\R.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ZUZKIH (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ZUZKIH.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\A2DDA (\??\C:\DOCUME~1\Carlos\LOCALS~1\Temp\A2ONLINESCAN\a2ddax86.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\JYOIXWWQWAPKZB (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\JYOIXWWQWAPKZB.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ODABSUGBZSJ (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ODABSUGBZSJ.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\R (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\R.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ZUZKIH (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ZUZKIH.exe) -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : <local>  -> Found
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.dell4me.com/myway  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.dell4me.com/myway  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1011\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.87.71.230 68.87.73.246 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DFC356A3-D4BE-4B48-A063-93DEA5C94087} | DhcpNameServer : 68.87.71.230 68.87.73.246 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1011\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 105 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAdjustPrivilegesToken[11] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d1fba
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[12] : Unknown @ 0x8a7d3cc8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[13] : Unknown @ 0x8a7d3d20
[SSDT:Addr(Hook.SSDT)] unknown[17] : Unknown @ 0x8a735800
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : Unknown @ 0x8a67ccb0
[SSDT:Addr(Hook.SSDT)] NtClose[25] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d28b4
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ebaee
[SSDT:Addr(Hook.SSDT)] NtCreateEvent[35] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d2e26
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[43] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d2d14
[SSDT:Addr(Hook.SSDT)] NtCreatePort[46] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ebe06
[SSDT:Addr(Hook.SSDT)] NtCreateProcess[47] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d3056
[SSDT:Addr(Hook.SSDT)] NtCreateProcessEx[48] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d321e
[SSDT:Addr(Hook.SSDT)] NtCreateSection[50] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d1d76
[SSDT:Addr(Hook.SSDT)] NtCreateSemaphore[51] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d2f3e
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[52] : Unknown @ 0x8a67cb60
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d25e6
[SSDT:Addr(Hook.SSDT)] NtCreateWaitablePort[56] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ebece
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[57] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d353c
[SSDT:Addr(Hook.SSDT)] NtDeleteKey[63] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e6084
[SSDT:Addr(Hook.SSDT)] NtDeleteValueKey[65] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e788e
[SSDT:Addr(Hook.SSDT)] NtDeviceIoControlFile[66] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d28f6
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d453c
[SSDT:Addr(Hook.SSDT)] NtEnumerateKey[71] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e7088
[SSDT:Addr(Hook.SSDT)] NtEnumerateValueKey[73] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e7a38
[SSDT:Addr(Hook.SSDT)] unknown[83] : Unknown @ 0x8a71bcf0
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[89] : Unknown @ 0x8a633470
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[91] : Unknown @ 0x8a6334e8
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d362e
[SSDT:Addr(Hook.SSDT)] NtLoadKey[98] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e6bc0
[SSDT:Addr(Hook.SSDT)] NtLoadKey2[99] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e6e1c
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[108] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d3b9a
[SSDT:Addr(Hook.SSDT)] NtNotifyChangeKey[111] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ea30a
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[114] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d2eb8
[SSDT:Addr(Hook.SSDT)] NtOpenMutant[120] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d2da0
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d21f4
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[123] : Unknown @ 0x8a6721a8
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d397e
[SSDT:Addr(Hook.SSDT)] NtOpenSemaphore[126] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d2fd0
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d20e8
[SSDT:Addr(Hook.SSDT)] unknown[137] : Unknown @ 0x8a67cc08
[SSDT:Addr(Hook.SSDT)] NtQueryKey[160] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e5eb8
[SSDT:Addr(Hook.SSDT)] NtQueryMultipleValueKey[161] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e7698
[SSDT:Addr(Hook.SSDT)] NtQueryObject[163] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ea500
[SSDT:Addr(Hook.SSDT)] NtQuerySection[167] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d3ec0
[SSDT:Addr(Hook.SSDT)] NtQueryValueKey[177] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e7488
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d37ce
[SSDT:Addr(Hook.SSDT)] NtRenameKey[192] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e6198
[SSDT:Addr(Hook.SSDT)] NtReplaceKey[193] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e680c
[SSDT:Addr(Hook.SSDT)] NtReplyPort[194] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ec048
[SSDT:Addr(Hook.SSDT)] NtReplyWaitReceivePort[195] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ebf96
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[200] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ec0b4
[SSDT:Addr(Hook.SSDT)] NtRestoreKey[204] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e6a14
[SSDT:Addr(Hook.SSDT)] NtResumeThread[206] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d43de
[SSDT:Addr(Hook.SSDT)] NtSaveKey[207] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e633e
[SSDT:Addr(Hook.SSDT)] NtSaveKeyEx[208] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e64d4
[SSDT:Addr(Hook.SSDT)] NtSaveMergedKeys[209] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e6670
[SSDT:Addr(Hook.SSDT)] NtSecureConnectPort[210] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ebc76
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d2756
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[228] : Unknown @ 0x8a66a588
[SSDT:Addr(Hook.SSDT)] NtSetInformationToken[230] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d33e8
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d4010
[SSDT:Addr(Hook.SSDT)] NtSetValueKey[247] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75e7248
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d4104
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d423e
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[255] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d345e
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d22ea
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[267] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d3d78
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75d247c
[ShwSSDT:Addr(Hook.Shadow)] NtGdiBitBlt[13] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd508
[ShwSSDT:Addr(Hook.Shadow)] NtGdiMaskBlt[227] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd5de
[ShwSSDT:Addr(Hook.Shadow)] NtGdiPlgBlt[237] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd64e
[ShwSSDT:Addr(Hook.Shadow)] NtGdiStretchBlt[292] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd572
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ddbd6
[ShwSSDT:Addr(Hook.Shadow)] NtUserBuildHwndList[312] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd6b6
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallOneParam[323] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd4d4
[ShwSSDT:Addr(Hook.Shadow)] NtUserFindWindowEx[378] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd2c8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd0d6
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd3d6
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd122
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[428] : Unknown @ 0x8a8ac830
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd21a
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd16e
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd1c2
[ShwSSDT:Addr(Hook.Shadow)] NtUserRegisterHotKey[490] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75ddc90
[ShwSSDT:Addr(Hook.Shadow)] NtUserRegisterRawInputDevices[491] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd35e
[ShwSSDT:Addr(Hook.Shadow)] NtUserSendInput[502] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd27a
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetParent[529] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dda88
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd026
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dd07e
[ShwSSDT:Addr(Hook.Shadow)] NtUserUnregisterHotKey[576] : C:\WINDOWS\system32\DRIVERS\8577759drv.sys @ 0xa75dddb0
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP0T0L0-3 : \Driver\iomdisk @ Unknown (iomdisk.sys)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtProtectVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008d80 (jmp 0xffffffff936fb692)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ Secur32.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ Secur32.dll) ntdll.dll - ZwFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ ShimEng.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ ShimEng.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ ShimEng.dll) ntdll.dll - NtProtectVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008d80 (jmp 0xffffffff936fb692)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtProtectVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008d80 (jmp 0xffffffff936fb692)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ PSAPI.DLL) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] xxd3xa0o.default : user_pref("browser.startup.homepage", "www.google.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] a9d88c5bfcceb358dee0fea0508aadd4
[BSP] 06fafca6e7c85f9f43ebb60ce3e626a6 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 156 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 321300 | Size: 152468 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Sony Storage Media USB Device +++++
--- User ---
[MBR] bc980fe5e099e12f5e0d9d86acbc5044
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 3823 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Sony Storage Media USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )




Reply #1November 20, 2014, 11:20:43 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #1 on: November 20, 2014, 11:20:43 AM »
Hello

Could you scan those files on virus total?

C:\WINDOWS\system32\DRIVERS\8577759drv.sys
C:\WINDOWS\system32\hmpalert.dll

Reply #2November 20, 2014, 07:28:05 PM

RC@RKforum

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #2 on: November 20, 2014, 07:28:05 PM »

Yes, I manually scanned the C:\WINDOWS\system32\DRIVERS\8577759drv.sys file on VirusTotal (i.e., copy & pasted it) but received a “File Not Found” result.

I’d also noticed that the file was ubiquitous throughout the RK results and after posting yesterday did a Windows search for it [the 8577759drv.sys part] on the system which revealed the file but in a slightly different directory address:  C:\WINDOWS\LastGood\system32\DRIVERS\ and as the only file in the DRIVERS folder.

I scanned this file unto the VirusTotal Uploader utility on my desktop which revealed it as clean/probably harmless (i.e., 0/57 detection ratio) w/ a klif.sys file name.  Presumably a Kapersky file, which would make sense since I recently installed and been running the Kapersky Virus Removal tool and TDSS Killer on the system.

I intentionally searched within the C:\WINDOWS\system32\DRIVERS\ directory, however, but 8577759drv.sys wasn’t there. So I’m bothered that RK shows it to be in a different folder/directory than where it actually is. Should this be of any concern?

The hmpalert.dll file was also scanned w/ VT utility and it came back clean, identifying it as a HitmanPro browser utility—HitmanPro.Alert— which I recently downloaded and installed although this file was in the directory identified by RK.   

Reply #3November 21, 2014, 08:34:00 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #3 on: November 21, 2014, 08:34:00 AM »
You have to copy them on the desktop first. X86 web browsers are redirected otherwise.
Did you search from within your browser? You have to open an explorer window instead (that redirection)

Reply #4November 22, 2014, 07:51:32 PM

RC@RKforum

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #4 on: November 22, 2014, 07:51:32 PM »

I first searched files from a browser on my laptop (different sys) not fr browsers on system where I ran RK.

When I did the 2nd VirusTotal search on files-- the scans producing clean results-- I did so, however, by selecting the files from within the VT utility on desktop of infected system [going directly to directory where they lived] so I didn't do any manual copy/paste operations that time. I simply selected files from ‘Browse for files’ option within VT Uploader which then openned up/loaded them to VT website for analysis. 

VT Uploader, btw, is small desktop utility which helps find suspicious files on one’s system & loads them directly to VT.  It is available on VT.com.

But you're correct about re-direction issues.  On the account where I orig ran RK, Firefox seems completely taken over by something.  Every time it’s launched, multiple tabs open up to unfamiliar websites, none of them of my choosing.  And tabs continue to open automatically until I end up having to close FF.  Other browsers on the same user account are working Okay, though (i.e., no redirection). :-\


Reply #5November 24, 2014, 09:44:45 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #5 on: November 24, 2014, 09:44:45 AM »
This is not the same redirection I was talking about : http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187%28v=vs.85%29.aspx
If you have adwares on FF, I'd use AdwCleaner too

Were you able to find the files directly with windows explorer (no VT utility, no browser)?

Reply #6November 24, 2014, 09:02:46 PM

RC@RKforum

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #6 on: November 24, 2014, 09:02:46 PM »

Hello Tigzi,

I'm sorry, I wasn't too sure what you meant by "you have to copy them to the desktop first"

Anyways, yes, I searched for the file--C:\WINDOWS\system32\DRIVERS\8577759drv.sys--w/ windows explorer on the 20th.  I first used automated windows search with 8577759drv.sys as query and file appeared but in the C:\WINDOWS\LastGood\system32\DRIVERS\ directory not the C:\WINDOWS\system32\DRIVERS directory the RK results reflected.

After automated search I did manual search going specifically to the folders in question and looking in  C:\WINDOWS\system32\DRIVERS  for 8577759drv.sys file, but it wasn't there.


But I also did a 2nd/Follow up scan w/ RK after a reboot and received new results. Results are below but basically    C:\WINDOWS\system32\DRIVERS\8577759drv.sys  files are no longer in Antirootkit tab but more ‘Unknown’ orange files appear there and the 8 previous suspicious Registry items are also present. 

One orange item for FF was detected, and I think this may have had to do w/ redirection issue.  I selected it + registry items, deleted them and now FF seems to be back to normal when it opens.

I also just completed another windows auto search again for the older file but it doesn't appear now at all in any of the directories.  So I take that to be good news, no?


Thank you again for your replies and insight Tigzi.....


New Scan:

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Robert C  [Administrator]
Mode : Scan -- Date : 11/22/2014  13:24:27

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 32 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA} -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\A2DDA (\??\C:\DOCUME~1\Carlos\LOCALS~1\Temp\A2ONLINESCAN\a2ddax86.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\JYOIXWWQWAPKZB (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\JYOIXWWQWAPKZB.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ODABSUGBZSJ (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ODABSUGBZSJ.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\R (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\R.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ZUZKIH (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ZUZKIH.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A2DDA (\??\C:\DOCUME~1\Carlos\LOCALS~1\Temp\A2ONLINESCAN\a2ddax86.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\JYOIXWWQWAPKZB (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\JYOIXWWQWAPKZB.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ODABSUGBZSJ (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ODABSUGBZSJ.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\R.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ZUZKIH (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ZUZKIH.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\A2DDA (\??\C:\DOCUME~1\Carlos\LOCALS~1\Temp\A2ONLINESCAN\a2ddax86.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\JYOIXWWQWAPKZB (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\JYOIXWWQWAPKZB.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ODABSUGBZSJ (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ODABSUGBZSJ.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\R (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\R.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ZUZKIH (C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\ZUZKIH.exe) -> Found
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.dell4me.com/myway  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.dell4me.com/myway  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1011\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.87.71.230 68.87.73.246  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DFC356A3-D4BE-4B48-A063-93DEA5C94087} | DhcpNameServer : 68.87.71.230 68.87.73.246  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2032323870-3987493145-801179686-1011\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 59 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[12] : Unknown @ 0x8a7860d8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[13] : Unknown @ 0x8a786170
[SSDT:Addr(Hook.SSDT)] unknown[17] : Unknown @ 0x8a6ec7f0
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : Unknown @ 0x8a8d8048
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : Unknown @ 0x8a92a510
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[43] : Unknown @ 0x8a791090
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[52] : Unknown @ 0x8a6fa350
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : Unknown @ 0x8a72f310
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[57] : Unknown @ 0x8a8d80e0
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : Unknown @ 0x8a70f350
[SSDT:Addr(Hook.SSDT)] unknown[83] : Unknown @ 0x8a7527a0
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[89] : Unknown @ 0x8a791138
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[91] : Unknown @ 0x8a791008
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : Unknown @ 0x8a8225f0
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[108] : Unknown @ 0x8a752748
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[114] : Unknown @ 0x8a7a3428
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : Unknown @ 0x8a703e98
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[123] : Unknown @ 0x8a6e7d90
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : Unknown @ 0x8a7a3318
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : Unknown @ 0x8a703f20
[SSDT:Addr(Hook.SSDT)] unknown[137] : Unknown @ 0x8a6fa3f8
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : Unknown @ 0x8a6fa2a8
[SSDT:Addr(Hook.SSDT)] NtResumeThread[206] : Unknown @ 0x8a7c3348
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : Unknown @ 0x8a7522f0
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[228] : Unknown @ 0x8a752680
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : Unknown @ 0x8a8d8178
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : Unknown @ 0x8a7a33b0
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : Unknown @ 0x8a7c33c0
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[257] : Unknown @ 0x8a6fa258
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : Unknown @ 0x8a703ee8
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[267] : Unknown @ 0x8a8aeda0
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : Unknown @ 0x8a6ec768
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : Unknown @ 0x8a8a8820
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : Unknown @ 0x8a9ff268
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : Unknown @ 0x8a7d0fd0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : Unknown @ 0x8a818e68
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[428] : Unknown @ 0x8a951860
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : Unknown @ 0x8aa90380
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : Unknown @ 0x8a9de8b0
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : Unknown @ 0x8a9da8f8
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : Unknown @ 0x8a753900
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : Unknown @ 0x8aa51990
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\iomdisk @ Unknown (iomdisk.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-f : \Driver\iomdisk @ Unknown (iomdisk.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP0T0L0-3 : \Driver\iomdisk @ Unknown (iomdisk.sys)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ KERNEL32.dll) ntdll.dll - NtProtectVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008d80 (jmp 0xffffffff936fb692)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ Secur32.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ Secur32.dll) ntdll.dll - ZwFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ ShimEng.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ ShimEng.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ ShimEng.dll) ntdll.dll - NtProtectVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008d80 (jmp 0xffffffff936fb692)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtProtectVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008d80 (jmp 0xffffffff936fb692)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtFreeVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008ea0 (jmp 0xffffffff936fbb12)
[IAT:Inl] (explorer.exe @ PSAPI.DLL) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] xxd3xa0o.default : user_pref("browser.startup.homepage", "www.google.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1600AAJB-00J3A0 +++++
--- User ---
[MBR] a9d88c5bfcceb358dee0fea0508aadd4
[BSP] 06fafca6e7c85f9f43ebb60ce3e626a6 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 156 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 321300 | Size: 152468 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Sony Storage Media USB Device +++++
--- User ---
[MBR] bc980fe5e099e12f5e0d9d86acbc5044
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 3823 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_11192014_111809.log


Reply #7November 25, 2014, 08:20:19 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #7 on: November 25, 2014, 08:20:19 AM »
Ok, this:

[IAT:Inl] (explorer.exe @ PSAPI.DLL) ntdll.dll - NtAllocateVirtualMemory : C:\WINDOWS\system32\hmpalert.dll @ 0x10008cf0 (jmp 0xffffffff936fbd82)

is from your antivirus, I'll add it to whitelist.

However, I'd suggest to remove everything (in registry) not tagged "PUM.something", they look random names and malicious;

Reply #8November 26, 2014, 07:36:00 PM

RC@RKforum

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #8 on: November 26, 2014, 07:36:00 PM »

Okay, thank you…

I’ve cleaned up the non “PUM.something” items in the Registry. I also ran AdwCleaner as you suggested which detected various items.  Report is below.

I can identify many files & registry items on list which I feel safe removing (i.e., Uniblue, etc..) but I’m not sure about others (i.e., those “AxMetaStream.MetaStream” items in registry section.  Can you quickly skim and let me know if anything is clearly unwanted/malware?


Thanks again….. I think things should be Okay after this.   :)




# AdwCleaner v4.101 - Report created 24/11/2014 at 13:52:25
# Updated 09/11/2014 by Xplode
# Database : 2014-11-07.1 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Robert C - DFYPGN41
# Running from : C:\Documents and Settings\Robert C\My Documents\Downloads\adwcleaner_4.101.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\All Users\Desktop\driverscanner.lnk
File Found : C:\Documents and Settings\Robert C\Application Data\Mozilla\Firefox\Profiles\xxd3xa0o.default\invalidprefs.js
File Found : C:\WINDOWS\Reimage.ini
Folder Found : C:\Documents and Settings\All Users\Application Data\~0
Folder Found : C:\Documents and Settings\All Users\Application Data\SecTaskMan
Folder Found : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found : C:\Documents and Settings\All Users\Start Menu\Programs\Uniblue
Folder Found : C:\Documents and Settings\Robert C\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Folder Found : C:\Program Files\Uniblue
Folder Found : C:\Program Files\Uniblue\DriverScanner
Folder Found : C:\Program Files\Viewpoint

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Uniblue
Key Found : HKCU\Software\Uniblue\DriverScanner
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\speedupmypc
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Trusted Software Assistant_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Found : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Found : HKLM\SOFTWARE\Uniblue
Key Found : HKLM\SOFTWARE\Uniblue\DriverScanner
Key Found : HKLM\SOFTWARE\Uniblue\SpeedUpMyPC
Key Found : HKLM\SOFTWARE\Viewpoint
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v33.0.3 (x86 en-US)


-\\ Google Chrome v39.0.2171.65

[C:\Documents and Settings\Robert C\Local Settings\Application Data\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Documents and Settings\Robert C\Local Settings\Application Data\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [4298 octets] - [24/11/2014 13:52:25]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4358 octets] ##########

Reply #9November 27, 2014, 08:26:51 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #9 on: November 27, 2014, 08:26:51 AM »
Remove all, AdwCleaner isn't known for having false positives.

Reply #10November 29, 2014, 10:33:00 PM

RC@RKforum

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Assistance Interpreting Hook SSDTs in Antirootkit tab...
« Reply #10 on: November 29, 2014, 10:33:00 PM »

Great! Thank you again for your generous help and insight.  Experience & know-how in identifying malware, dealing with threats, deciphering logs, is a rare and valuable skill.  It takes a specialized and trained eye. 

Your work—diagnosis, interaction, and feedback— is very much appreciated by many, not least because it is done in a disinterested and magnanimous way. :)