Author Topic: Anti-rookit results? Unsure what to do with these  (Read 12211 times)

0 Members and 4 Guests are viewing this topic.

December 30, 2014, 05:34:51 PM

KOTARE

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Anti-rookit results? Unsure what to do with these
« on: December 30, 2014, 05:34:51 PM »
Hi all.

I can't select these items in RK to be deleted - I'm unsure what to do with them.
JG

Can't UL file so listed below:


RogueKiller V10.0.0.0 (x64) [Oct  7 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : KINGFISHER [Administrator]
Mode : Scan -- Date : 12/31/2014  00:25:17

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Loaded) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass5 : \Driver\SynTP @ \Device\0000009d (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass4 : \Driver\SynTP @ \Device\0000009b (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\SynTP @ \Device\00000099 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\00000098 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\0000008e (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[EAT:Addr] (explorer.exe) samcli.dll - DllCanUnloadNow : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb222350
[EAT:Addr] (explorer.exe) samcli.dll - DllGetClassObject : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb222130
[EAT:Addr] (explorer.exe) samcli.dll - DllRegisterServer : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb221f70
[EAT:Addr] (explorer.exe) samcli.dll - DllUnregisterServer : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefb222060

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6465GSX +++++
--- User ---
[MBR] c4a7161b6a04617324ada1e8e6e99a35
[BSP] f22a1020c3ae33691ec4576bb324c392 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 610378 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD7500BPKT-22PK4T0 +++++
--- User ---
[MBR] 27c661ad256d5194ac156f6352a0dc47
[BSP] b3b20bb8709b3c4333c1f43f4f99ef5d : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715402 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TOSHIBA External USB 3.0 USB Device +++++
--- User ---
[MBR] 00c00502dc4d8d07c9cdb3708859a264
[BSP] f95a0069f0928bdfcf078dd2b93016b5 : HP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_07262014_211846.log - RKreport_DEL_07262014_213155.log - RKreport_DEL_10082014_212938.log - RKreport_DEL_12302014_235711.log
RKreport_DEL_12302014_235740.log - RKreport_DEL_12312014_001904.log - RKreport_SCN_07262014_211836.log - RKreport_SCN_07262014_212939.log
RKreport_SCN_10062014_190124.log - RKreport_SCN_10082014_212200.log - RKreport_SCN_10082014_213146.log - RKreport_SCN_12302014_235146.log
RKreport_SCN_12312014_001614.log

Reply #1December 30, 2014, 06:47:51 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Anti-rookit results? Unsure what to do with these
« Reply #1 on: December 30, 2014, 06:47:51 PM »
Please download the latest version and retry :)

Reply #2January 01, 2015, 01:11:55 AM

KOTARE

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #2 on: January 01, 2015, 01:11:55 AM »
Hi there.  This IS from your website, I downloaded the most recent version, however when I run it it keeps telling me it's outdated.  Do you have a direct link to the newest version at all?

Reply #3January 02, 2015, 09:06:24 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Anti-rookit results? Unsure what to do with these
« Reply #3 on: January 02, 2015, 09:06:24 AM »
http://www.adlice.com/softwares/roguekiller/
Don't download from Fosshub link, they have an issue with updates...
You can try the Cloud/Local links.
« Last Edit: January 02, 2015, 05:04:29 PM by Tigzy »

Reply #4January 02, 2015, 04:23:31 PM

KOTARE

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #4 on: January 02, 2015, 04:23:31 PM »
Ok so I've reDL'd the exe - it's v10.1.1

I've done a scan and added the log below.  There is still no box to check the files to delete them - should there be?
J


RogueKiller V10.1.1.0 (x64) [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : KINGFISHER [Administrator]
Mode : Scan -- Date : 01/02/2015  23:19:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 5 (Driver: Loaded) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass5 : \Driver\SynTP @ \Device\0000009f (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass4 : \Driver\SynTP @ \Device\0000009a (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\SynTP @ \Device\00000098 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\SynTP @ \Device\00000097 (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\0000008d (\SystemRoot\system32\DRIVERS\o2mdgx64.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6465GSX +++++
--- User ---
[MBR] c4a7161b6a04617324ada1e8e6e99a35
[BSP] f22a1020c3ae33691ec4576bb324c392 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 610378 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD7500BPKT-22PK4T0 +++++
--- User ---
[MBR] 27c661ad256d5194ac156f6352a0dc47
[BSP] b3b20bb8709b3c4333c1f43f4f99ef5d : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715402 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_01012015_080120.log - RKreport_DEL_07262014_211846.log - RKreport_DEL_07262014_213155.log - RKreport_DEL_10082014_212938.log
RKreport_DEL_12302014_235711.log - RKreport_DEL_12302014_235740.log - RKreport_DEL_12312014_001904.log - RKreport_SCN_07262014_211836.log
RKreport_SCN_07262014_212939.log - RKreport_SCN_10062014_190124.log - RKreport_SCN_10082014_212200.log - RKreport_SCN_10082014_213146.log
RKreport_SCN_12302014_235146.log - RKreport_SCN_12312014_001614.log - RKreport_SCN_12312014_002516.log

Reply #5January 02, 2015, 05:05:54 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Anti-rookit results? Unsure what to do with these
« Reply #5 on: January 02, 2015, 05:05:54 PM »
No it's normal. Can you upload
C:\Windows\system32\DRIVERS\o2mdgx64.sys on virus total and give the link to the results?

Reply #6January 03, 2015, 01:23:22 AM

KOTARE

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #6 on: January 03, 2015, 01:23:22 AM »
I've installed Virustotal but it will not let me UL that file.  Any other options?

Reply #7January 04, 2015, 12:52:50 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #7 on: January 04, 2015, 12:52:50 AM »
Hi KOTARE,

Could you please explain as clearly as possible what problems you encountered ?
Please follow the following process to analyse the file.

1. Show Hidden Files and Folders

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  •     Hide extensions for known file types
  •     Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

2. Upload a file

Go to VirusTotal
When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.
Code: [Select]
C:\Windows\system32\DRIVERS\o2mdgx64.sys
If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.

Regards.

Reply #8January 04, 2015, 02:21:01 AM

KOTARE

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #8 on: January 04, 2015, 02:21:01 AM »
Hi there.

I've followed those options.  I now see the file in my browser, but not in the Virus Total browser.  Any other options?

Reply #9January 04, 2015, 03:14:25 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #9 on: January 04, 2015, 03:14:25 AM »
Hi KOTARE,

Could you try to attach the file on your next post ? If you do so, I will upload it to VT myself.

Regards.

Reply #10January 05, 2015, 10:49:50 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Anti-rookit results? Unsure what to do with these
« Reply #10 on: January 05, 2015, 10:49:50 AM »
AFAIR, x86 web browsers are not able to browse inside Sys32 folder.
You need to copy/paste the file on the desktop prior to upload it to Virus Total (with your windows explorer)

Reply #11January 06, 2015, 12:02:29 AM

KOTARE

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #11 on: January 06, 2015, 12:02:29 AM »
:)

Thanks

Reply #12January 06, 2015, 04:23:57 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Anti-rookit results? Unsure what to do with these
« Reply #12 on: January 06, 2015, 04:23:57 PM »
Hi KOTARE, Tigzy,

Many thanks for the tip Tigzy, I wasn't aware of this behaviour.

The driver is legit and will be whitelisted in a next release of RogueKiller.

Regards.