Suspicious

Hi, i ran a full scan with avast a while ago and something strange happened, the iu started blinking and when i checked it it said “avast protection is off” then i went back to normal aka “all secured” (not sure if high cpu usage while running a full scan can do that)
ran roguekiller and found this

RogueKiller V8.8.2 [Jan 17 2014] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : PatricK [Admin rights]
Mode : Scan – Date : 01/23/2014 14:39:38
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKCU[…]\System : DisableTaskMgr (0) → FOUND
[HJ POL][PUM] HKCU[…]\System : DisableRegistryTools (0) → FOUND
[HJ POL][PUM] HKLM[…]\System : DisableRegistryTools (0) → FOUND
[HJ DESK][PUM] HKCU[…]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ DESK][PUM] HKCU[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[Faked][File] hxxp.sys : C:\Windows\system32\drivers\hxxp.sys [-] → FOUND
[Faked][File] iaStorV.sys : C:\Windows\system32\drivers\iaStorV.sys [-] → FOUND
[Faked][File] ipfltdrv.sys : C:\Windows\system32\drivers\ipfltdrv.sys [-] → FOUND
[Faked][File] ks.sys : C:\Windows\system32\drivers\ks.sys [-] → FOUND
[Faked][File] lsi_scsi.sys : C:\Windows\system32\drivers\lsi_scsi.sys [-] → FOUND
[Faked][File] mouclass.sys : C:\Windows\system32\drivers\mouclass.sys [-] → FOUND
[Faked][File] mrxsmb10.sys : C:\Windows\system32\drivers\mrxsmb10.sys [-] → FOUND
[Faked][File] netbt.sys : C:\Windows\system32\drivers\netbt.sys [-] → FOUND
[Faked][File] rdbss.sys : C:\Windows\system32\drivers\rdbss.sys [-] → FOUND
[Faked][File] VX3000.sys : C:\Windows\system32\drivers\VX3000.sys [-] → FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AADS-67S9B1 ATA Device +++++
— User —
[MBR] 5985724ba892a5726b4ce24e2f48fbe8
[BSP] eb11fb66582f439466a24426dcc02753 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76217 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 156299264 | Size: 400620 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[0]_S_01232014_143937.txt >>
RKreport[0]_S_12312013_072810.txt

in the particular file section is that something to be worried about?

Nope they are all legitimate :slight_smile:

Ok thanks ma brotha :smiley:

Hi Martin,

So they are no registry hacks and therefore PUMS?

NewStartPanel is a sub-key of Hide Desktop Items.A PUM detection means a "Potentially Unwanted Modifcation (PUM)". It is considered potentially unwanted because the program making the detection cannot determine if the modification was set by the user, a legitimate program or by malware.

If you recognize the PUM detection items, you can ignore the detection. If you don’t recognize the detections, then you may need to investigate further as to what program made the modification(s) or remove them.

*

What you probably meant is there were no additional signs of an infection. * above quote from quietman7 on bleeping computer Security Forum

Damian

And what about all the faked file entries? Faked = md5 mismatch with known original file (versions) hashes?

Hi propheticus,

Good remark, for this we need three ways to make an md5 sum of the img files, the good and the bad one and also the quoted one and check those.

polonus

If those files were faked then the system would misbehaving and Avast would be giving continual alerts especially with regards to the network ones

As seen by the Blackbeard Trojan, this is based on an altered system file which Avast did not detect at the time. However, it did detect and block the consequences
http://blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/

Hi essexboy,

Thanks for setting our minds and that of the “victim” at ease.
Experience is the teacher here.

pol

If there is any concern I could check deeper but I doubt that anything meaningful will be found. The PUM’s are just that potentially unwanted, however, if you look at other RK logs you will see that it always reports that