Jason Johanknecht
asked on
Looking for advice on RogueKiller results
Windows 7 Home Premium 64-bit user with trouble sending e-mail on occassion: 0x800CCC0B, began checking system for updates and malware when I ran Rogue Killer. These results are in question specifically =: (The system only has 1 physical drive, but shows 2 ???, User != LL2 ... KO! ???, and what is the infection rootkit.mbr ???) I have run TDSSKiller, aswMBR already with no detections. Haven't run Combofix yet. Any help is appreciated.
Entire log:
RogueKiller V6.2.2 [12/31/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Dennis [Admin rights]
Mode: Scan -- Date : 01/04/2012 21:52:29
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7d99042ba241f79a8465379f41 45273b
[BSP] 23979671e69144e5b498b6de9d 930867 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 104 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): -1388070912 | Size: 11969 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] ce30e4de42a1f9f33eea4cb1de 288ec7
[BSP] 374d5d41f67396ab9410749132 ef7821 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 217933824 | Size: 314 Mo
+++++ PhysicalDrive1: +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[4].txt >>
Entire log:
RogueKiller V6.2.2 [12/31/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Dennis [Admin rights]
Mode: Scan -- Date : 01/04/2012 21:52:29
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7d99042ba241f79a8465379f41
[BSP] 23979671e69144e5b498b6de9d
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 104 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): -1388070912 | Size: 11969 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] ce30e4de42a1f9f33eea4cb1de
[BSP] 374d5d41f67396ab9410749132
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 217933824 | Size: 314 Mo
+++++ PhysicalDrive1: +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[4].txt >>
I am not the most exxperienced expert here on Roguekiller, but I do know that RK will report erroneous results on win7 64 bit machines due to the fact that windows 7 does some trickery in order to run 32 bit programs. Many rootkit detectors will detect the change in what is "supposed" to be there as a rootkit. RK may detect some of the valid processes as rogue as well. The technical explanation is that the files are not where programs expect them to be, instead windows 7 64bit reroutes the calls via a link mechanism to 32 bit versions of the files. This rerouting is seen as rootkit activity.
In general, best advice is to use a test pc, loaded with Windows 7 and a decent antivirus with internet security package, whip out the suspect harddisk, then plug it into the test pc, then do a full 3x virus sweeps, set to maximum setting, let it take the time it needs and then check the end report.
Once done, backup all / any data which needs archiving, then either image the drive to be sure nothing is missed then format, do a clean install, update to maximum and then use something like Secunia PSI do to a system check, with a decent antivirus with internet security package on, making sure it is as secure as it can be, then import the respective files back over, ie. docs, favs, pics, music, outlook data files etc.
Also, you don't mention if this is your own pc or someone else's pc?
A little time spent checking what else was on the suspect pc, is worth while.
Often the source of the problem will ring a bell, ie. download file from suspect site, email sent from or to someone, attachments etc?
Do some digging before you format, worth making sure nothing similar is coming back.
Once done, backup all / any data which needs archiving, then either image the drive to be sure nothing is missed then format, do a clean install, update to maximum and then use something like Secunia PSI do to a system check, with a decent antivirus with internet security package on, making sure it is as secure as it can be, then import the respective files back over, ie. docs, favs, pics, music, outlook data files etc.
Also, you don't mention if this is your own pc or someone else's pc?
A little time spent checking what else was on the suspect pc, is worth while.
Often the source of the problem will ring a bell, ie. download file from suspect site, email sent from or to someone, attachments etc?
Do some digging before you format, worth making sure nothing similar is coming back.
when installing windows 7 automatically creates a hidden partition of 100 mb aprox
i dont use RogueKiller either, a prefer use MWB and CCleaner in safe mode to remove virus
i dont use RogueKiller either, a prefer use MWB and CCleaner in safe mode to remove virus
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Maybe a test + a dump with MBRCheck would be appreciated as well to confirm
ASKER
I normally use Malwarebytes, but it is worthless against Zero Access infection until Combofix or aswMBR can remove the rootkit. RogueKiller has been the quickest clue to those problems when malwarebytes comes back with 0 problems.
The computer is not mine, nor am I working on it directly. Just e-mailing its owner with programs to run, and he e-mails me back the results. At this point he isn't bringing the computer in for any service work so I will leave it at false positive in Rogue Killer until something more substantial can prove otherwise.
The computer is not mine, nor am I working on it directly. Just e-mailing its owner with programs to run, and he e-mails me back the results. At this point he isn't bringing the computer in for any service work so I will leave it at false positive in Rogue Killer until something more substantial can prove otherwise.