Author Topic: Need help reading my report...  (Read 5605 times)

0 Members and 1 Guest are viewing this topic.

December 14, 2014, 03:04:57 PM

Sylvoute

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Need help reading my report...
« on: December 14, 2014, 03:04:57 PM »
Hi there ! Ou encore mieux, salut tout le monde !

After some visit in tuto and faq, I would appreciate some help reading this report RogueKiller gave me, that's to say, if some of the results are known (even if not red) and if I should delete them...

Thanks a lot !



RogueKiller V10.1.0.0 (x64) [Dec 11 2014] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : hp [Administrateur]
Mode : Scan -- Date : 12/14/2014  14:36:16

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 22 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Update FindRight ("C:\Program Files (x86)\FindRight\updateFindRight.exe") -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Util FindRight ("C:\Program Files (x86)\FindRight\bin\utilFindRight.exe") -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update FindRight ("C:\Program Files (x86)\FindRight\updateFindRight.exe") -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Util FindRight ("C:\Program Files (x86)\FindRight\bin\utilFindRight.exe") -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update FindRight ("C:\Program Files (x86)\FindRight\updateFindRight.exe") -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Util FindRight ("C:\Program Files (x86)\FindRight\bin\utilFindRight.exe") -> Trouvé(e)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-4286809068-1687664259-410908429-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=http://127.0.0.1:9880  -> Trouvé(e)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-4286809068-1687664259-410908429-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=http://127.0.0.1:9880  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1Qzu0A0CzztCtCtBzy0F0DtC0C0AyDtAtA0BtN0D0Tzu0CyByByBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=321786820&ir=  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://fr.yahoo.com?fr=hp-avast&type=avastbcl  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-4286809068-1687664259-410908429-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://fr.yahoo.com?fr=hp-avast&type=avastbcl  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-4286809068-1687664259-410908429-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://fr.yahoo.com?fr=hp-avast&type=avastbcl  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : https://fr.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4286809068-1687664259-410908429-1001\Software\Microsoft\Internet Explorer\Main | Search Page : https://fr.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4286809068-1687664259-410908429-1001\Software\Microsoft\Internet Explorer\Main | Search Page : https://fr.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F2825CBF-EB8E-4A29-911D-40ED6CBE1458} | DhcpNameServer : 10.188.0.1 [(Private Address) (XX)]  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2825CBF-EB8E-4A29-911D-40ED6CBE1458} | DhcpNameServer : 10.188.0.1 [(Private Address) (XX)]  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F2825CBF-EB8E-4A29-911D-40ED6CBE1458} | DhcpNameServer : 10.188.0.1 [(Private Address) (XX)]  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trouvé(e)

¤¤¤ Tâches : 3 ¤¤¤
[Suspicious.Path] AmiUpdXp.job -- C:\Users\hp\AppData\Local\5161\a26206.exe -> Trouvé(e)
[Suspicious.Path] SW.Booster-S-381974994.job -- c:\programdata\superbapp\sw.booster\SW.Booster.exe (/schedule /profile "c:\programdata\superbapp\sw.booster\381974994.ini") -> Trouvé(e)
[Suspicious.Path] \\AmiUpdXp -- C:\Users\hp\AppData\Local\5161\a26206.exe -> Trouvé(e)

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 30 (Driver: Chargé) ¤¤¤
[IAT:Inl] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x777b010a (jmp 0x15d850|jmp 0xfffffffffffffe09|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x777b010a (jmp 0x15ed60|jmp 0xfffffffffffffc49|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtDuplicateObject : Unknown @ 0x777b010a (jmp 0x15ed20|jmp 0xfffffffffffffc69|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtCreateEvent : Unknown @ 0x777b010a (jmp 0x15eba0|jmp 0xfffffffffffffd29|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtNotifyChangeKey : Unknown @ 0x777b010a (jmp 0x15e300|jmp 0xfffffffffffffb69|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtTerminateProcess : Unknown @ 0x777b010a (jmp 0x15ee70|jmp 0xfffffffffffffc19|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenEvent : Unknown @ 0x777b010a (jmp 0x15ec30|jmp 0xfffffffffffffd19|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtAssignProcessToJobObject : Unknown @ 0x777b010a (jmp 0x15e870|jmp 0xfffffffffffffc59|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtSetContextThread : Unknown @ 0x777b010a (jmp 0x15dc20|jmp 0xfffffffffffffbf9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtCreateSection : Unknown @ 0x777b010a (jmp 0x15ebc0|jmp 0xfffffffffffffce9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenProcess : Unknown @ 0x777b010a (jmp 0x15ee60|jmp 0xfffffffffffffc89|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtNotifyChangeMultipleKeys : Unknown @ 0x777b010a (jmp 0x15e300|jmp 0xfffffffffffffb59|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtQueryObject : Unknown @ 0x777b010a (jmp 0x15f0a0|jmp 0xfffffffffffffba9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtCreateIoCompletion : Unknown @ 0x777b010a (jmp 0x15e730|jmp 0xfffffffffffffca9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenSection : Unknown @ 0x777b010a (jmp 0x15ed00|jmp 0xfffffffffffffcd9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtCreateSemaphore : Unknown @ 0x777b010a (jmp 0x15e5a0|jmp 0xfffffffffffffd49|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenSemaphore : Unknown @ 0x777b010a (jmp 0x15e030|jmp 0xfffffffffffffd39|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtCreateMutant : Unknown @ 0x777b010a (jmp 0x15e610|jmp 0xfffffffffffffd69|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenMutant : Unknown @ 0x777b010a (jmp 0x15e060|jmp 0xfffffffffffffd59|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtCreateTimer : Unknown @ 0x777b010a (jmp 0x15e5f0|jmp 0xfffffffffffffcc9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenTimer : Unknown @ 0x777b010a (jmp 0x15e070|jmp 0xfffffffffffffcb9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtCreateThreadEx : Unknown @ 0x777b010a (jmp 0x15e6a0|jmp 0xfffffffffffffc29|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtTerminateThread : Unknown @ 0x777b010a (jmp 0x15ec10|jmp 0xfffffffffffffc09|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenThread : Unknown @ 0x777b010a (jmp 0x15e0c0|jmp 0xfffffffffffffc79|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtSuspendThread : Unknown @ 0x777b010a (jmp 0x15d9a0|jmp 0xfffffffffffffbc9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x777b010a (jmp 0x15e980|jmp 0xfffffffffffffb79|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtQueueApcThreadEx : Unknown @ 0x777b010a (jmp 0x15de80|jmp 0xfffffffffffffbb9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtVdmControl : Unknown @ 0x777b010a (jmp 0x15d700|jmp 0xfffffffffffffd79|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtOpenEventPair : Unknown @ 0x777b010a (jmp 0x15e130|jmp 0xfffffffffffffcf9|jmp 0xfffffffffffffff0)
[IAT:Inl] (explorer.exe) ntdll.dll - NtLoadDriver : Unknown @ 0x777b010a (jmp 0x15e140|jmp 0xfffffffffffffe19|jmp 0xfffffffffffffff0)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS547575A9E384 SATA Disk Device +++++
--- User ---
[MBR] 9816643a95a3db85a3bb7e05d0ed09bd
[BSP] ef82a00aa144b47f30f845c8b6641af1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 695173 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1424123904 | Size: 15968 MB
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 1456826368 | Size: 4062 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG HM500JI USB Device +++++
--- User ---
[MBR] d8857f24298c38a4e57b8233e7aa7b59
[BSP] 97e1884010c6d164a9d40d24d19cafa5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 16065 | Size: 476929 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )


Reply #1December 14, 2014, 04:46:18 PM

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: Need help reading my report...
« Reply #1 on: December 14, 2014, 04:46:18 PM »
You should upload a26206.exe to VirusTotal and check the detection rates

Reply #2December 19, 2014, 04:10:58 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need help reading my report...
« Reply #2 on: December 19, 2014, 04:10:58 PM »
It looks malware.
Remove everything.

Also, what is your antivirus? asking regarding the rootkit entries.