{ "header": { "program": { "project": "RogueKiller", "version": "10.9.0.0", "x64": false, "date": "Jul 6 2015", "contact": "http://www.adlice.com/contact/", "feedback": "http://forum.adlice.com", "website": "http://www.adlice.com/softwares/roguekiller/", "blog": "http://www.adlice.com" }, "environment": { "operating_system": "Windows 7 (6.1.7600 ) 32 bits version", "boot": 0, "winpe": false, "user": "Win7", "user_admin": true, "program_location": "C:\\Users\\Win7\\Downloads\\Programs\\RogueKiller.exe", "x64": false }, "report": { "type": 1, "aborted": false, "date": "07/09/2015 11:50:30", "switches": 0, "debug": false } }, "results": { "processes": [], "modules": [], "services": [], "registry": [ { "scan_what": 1, "scan_how": [ 7 ], "scan_how_trigger": 7, "vendors": [ "PUM.Policies" ], "rule_name": "Policies", "view": 256, "value": "ConsentPromptBehaviorAdmin", "subkey": "", "value_old_data": "", "value_data": "0", "path": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "extra": "", "files_status": "", "vtscore": -1, "files": [], "status_str": "وجد", "status_choice": 1, "status_removed": 0 } ], "tasks": [], "filesystem": [], "hosts": { "is_too_big": false, "lines": [ { "scan_what": 0, "scan_how": [], "vendors": [], "line": "127.0.0.1 tonec.com", "path": "C:\\Windows\\System32\\drivers\\etc\\hosts", "status_str": "", "status_malicious": false, "status_choice": 1, "status_removed": 0 }, { "scan_what": 0, "scan_how": [], "vendors": [], "line": "127.0.0.1 www.tonec.com", "path": "C:\\Windows\\System32\\drivers\\etc\\hosts", "status_str": "", "status_malicious": false, "status_choice": 1, "status_removed": 0 }, { "scan_what": 0, "scan_how": [], "vendors": [], "line": "127.0.0.1 internetdownloadmanager.com", "path": "C:\\Windows\\System32\\drivers\\etc\\hosts", "status_str": "", "status_malicious": false, "status_choice": 1, "status_removed": 0 } ] }, "antirootkit": { "is_driver_loaded": true, "driver_error": 0, "results": [ { "scan_what": 5, "scan_how": [], "vendors": [ "Hook.IEAT" ], "type": 5, "type_str": "IAT", "detour": 2, "detour_str": "Inl", "import_table": { "type": 2, "process": "explorer.exe", "pid": 1984, "module_memory": "USER32.dll", "import": "NlsAnsiCodePage", "import_module": "ntdll.dll", "module_table": "ntdll.dll", "detour_module": "", "entrypoint": 2010870096, "code_entrypoint": -874811047, "stack_trace": "call 0x54000009", "stack_hextrace": "e8 04 00 00 54" }, "status_str": "", "status_choice": 1, "status_removed": 0 }, { "scan_what": 5, "scan_how": [], "vendors": [ "Hook.IEAT" ], "type": 5, "type_str": "IAT", "detour": 2, "detour_str": "Inl", "import_table": { "type": 2, "process": "chrome.exe", "pid": 3392, "module_memory": "USER32.dll", "import": "NlsAnsiCodePage", "import_module": "ntdll.dll", "module_table": "ntdll.dll", "detour_module": "", "entrypoint": 2010870096, "code_entrypoint": -874811047, "stack_trace": "call 0x54000009", "stack_hextrace": "e8 04 00 00 54" }, "status_str": "", "status_choice": 1, "status_removed": 0 }, { "scan_what": 5, "scan_how": [], "vendors": [ "Hook.IEAT" ], "type": 5, "type_str": "IAT", "detour": 2, "detour_str": "Inl", "import_table": { "type": 2, "process": "chrome.exe", "pid": 3280, "module_memory": "USER32.dll", "import": "NlsAnsiCodePage", "import_module": "ntdll.dll", "module_table": "ntdll.dll", "detour_module": "", "entrypoint": 2010870096, "code_entrypoint": -874811047, "stack_trace": "call 0x54000009", "stack_hextrace": "e8 04 00 00 54" }, "status_str": "", "status_choice": 1, "status_removed": 0 }, { "scan_what": 5, "scan_how": [], "vendors": [ "Hook.IEAT" ], "type": 5, "type_str": "IAT", "detour": 2, "detour_str": "Inl", "import_table": { "type": 2, "process": "chrome.exe", "pid": 2264, "module_memory": "USER32.dll", "import": "NlsAnsiCodePage", "import_module": "ntdll.dll", "module_table": "ntdll.dll", "detour_module": "", "entrypoint": 2010870096, "code_entrypoint": -874811047, "stack_trace": "call 0x54000009", "stack_hextrace": "e8 04 00 00 54" }, "status_str": "", "status_choice": 1, "status_removed": 0 }, { "scan_what": 5, "scan_how": [], "vendors": [ "Hook.IEAT" ], "type": 5, "type_str": "IAT", "detour": 2, "detour_str": "Inl", "import_table": { "type": 2, "process": "chrome.exe", "pid": 4368, "module_memory": "USER32.dll", "import": "NlsAnsiCodePage", "import_module": "ntdll.dll", "module_table": "ntdll.dll", "detour_module": "", "entrypoint": 2010870096, "code_entrypoint": -874811047, "stack_trace": "call 0x54000009", "stack_hextrace": "e8 04 00 00 54" }, "status_str": "", "status_choice": 1, "status_removed": 0 }, { "scan_what": 5, "scan_how": [], "vendors": [ "Hook.IEAT" ], "type": 5, "type_str": "IAT", "detour": 2, "detour_str": "Inl", "import_table": { "type": 2, "process": "chrome.exe", "pid": 4436, "module_memory": "USER32.dll", "import": "NlsAnsiCodePage", "import_module": "ntdll.dll", "module_table": "ntdll.dll", "detour_module": "", "entrypoint": 2010870096, "code_entrypoint": -874811047, "stack_trace": "call 0x54000009", "stack_hextrace": "e8 04 00 00 54" }, "status_str": "", "status_choice": 1, "status_removed": 0 }, { "scan_what": 5, "scan_how": [], "vendors": [ "Hook.IEAT" ], "type": 5, "type_str": "IAT", "detour": 2, "detour_str": "Inl", "import_table": { "type": 2, "process": "explorer.exe", "pid": 1112, "module_memory": "USER32.dll", "import": "NlsAnsiCodePage", "import_module": "ntdll.dll", "module_table": "ntdll.dll", "detour_module": "", "entrypoint": 2010870096, "code_entrypoint": -874811047, "stack_trace": "call 0x54000009", "stack_hextrace": "e8 04 00 00 54" }, "status_str": "", "status_choice": 1, "status_removed": 0 } ] }, "web_browsers": [], "disk": { "results": [], "mbr": "+++++ PhysicalDrive0: +++++\n--- User ---\n[MBR] 335aa158b099158f7da7fc3fa8f66e23\n[BSP] 7f09747448eee5d9f451ca5e7c39ec33 : Windows Vista/7/8|VT.Unknown MBR Code\nPartition table:\n0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 68825 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]\n1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 140970370 | Size: 408104 MB\nUser = LL1 ... OK\nUser = LL2 ... OK\n\n" } } }