Looking for advice on RogueKiller results

Windows 7 Home Premium 64-bit user with trouble sending e-mail on occassion: 0x800CCC0B, began checking system for updates and malware when I ran Rogue Killer. These results are in question specifically =: (The system only has 1 physical drive, but shows 2 ???, User != LL2 ... KO! ???, and what is the infection rootkit.mbr ???)  I have run TDSSKiller, aswMBR already with no detections.  Haven't run Combofix yet.  Any help is appreciated.

Entire log:
RogueKiller V6.2.2 [12/31/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Dennis [Admin rights]
Mode: Scan -- Date : 01/04/2012 21:52:29

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7d99042ba241f79a8465379f4145273b
[BSP] 23979671e69144e5b498b6de9d930867 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 104 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): -1388070912 | Size: 11969 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] ce30e4de42a1f9f33eea4cb1de288ec7
[BSP] 374d5d41f67396ab9410749132ef7821 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 217933824 | Size: 314 Mo

+++++ PhysicalDrive1: +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4].txt >>
LVL 4
Jason JohanknechtIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas Zucker-ScharffSolution GuideCommented:
I am not the most exxperienced expert here on Roguekiller, but I do know that RK will report erroneous results on win7 64 bit machines due to the fact that windows 7 does some trickery in order to run 32 bit programs.  Many rootkit detectors will detect the change in what is "supposed" to be there as a rootkit.  RK may detect some of the valid processes as rogue as well.  The technical explanation is that the files are not where programs expect them to be, instead windows 7 64bit reroutes the calls via a link mechanism to 32 bit versions of the files.  This rerouting is seen as rootkit activity.
0
andrewmccCommented:
In general, best advice is to use a test pc, loaded with Windows 7 and a decent antivirus with internet security package, whip out the suspect harddisk, then plug it into the test pc, then do a full 3x virus sweeps, set to maximum setting, let it take the time it needs and then check the end report.
Once done, backup all / any data which needs archiving, then either image the drive to be sure nothing is missed then format, do a clean install, update to maximum and then use something like Secunia PSI do to a system check, with a decent antivirus with internet security package on, making sure it is as secure as it can be, then import the respective files back over, ie. docs, favs, pics, music, outlook data files etc.
Also, you don't mention if this is your own pc or someone else's pc?
A little time spent checking what else was on the suspect pc, is worth while.
Often the source of the problem will ring a bell, ie. download file from suspect site, email sent from or to someone, attachments etc?
Do some digging before you format, worth making sure nothing similar is coming back.
0
sazukeCommented:
when installing windows 7 automatically creates a hidden partition of 100 mb aprox
i dont use RogueKiller either, a prefer use MWB and CCleaner in safe mode to remove virus
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

rpggamergirlCommented:
Error reading LL2 MBR!
User != LL2 ... KO!


The above are the only suspicious entries, but then RogueKiller did not flag any rootkits, and the other scanners that you mentioned TDSSKiller and specially aswMbr also didn't flag any entries.
With the above lines plus if the log also showed something like "MBR Code unknown" or an active NTFS hidden partition (which is not the OS partition) then that would be concerning.

Roguekiller author might be browsing here sometime and he'll be able to explain those lines.
For the meantime if you're concerned, run combofix.
0
rpggamergirlCommented:
¤¤¤ Infection : Root.MBR ¤¤¤

In my understanding, the above line doesn't mean mbr is infected. That just mean that the tool also scans for MBR infections.

An email has been sent to the Roguekiller author so he'll be here sometime.
0
TigzyCommented:
Hello

Looking at the report, I can say this is maybe a bug.
Can you send me your RK_Quarantine folder located on the desktop, will analyse the MBR dumps
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TigzyCommented:
Maybe a test + a dump with MBRCheck would be appreciated as well to confirm
0
Jason JohanknechtIT ManagerAuthor Commented:
I normally use Malwarebytes, but it is worthless against Zero Access infection until Combofix or aswMBR can remove the rootkit.  RogueKiller has been the quickest clue to those problems when malwarebytes comes back with 0 problems.
The computer is not mine, nor am I working on it directly.  Just e-mailing its owner with programs to run, and he e-mails me back the results.  At this point he isn't bringing the computer in for any service work so I will leave it at false positive in Rogue Killer until something more substantial can prove otherwise.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.