A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #3986  by kiskav
 Tue Dec 14, 2010 2:16 am
Hi all,

I have attached RKU log, which was taken from a system. can any one analyze this & let me know what RKU is pointing towards ??

Here, File scan didn't Work( Struck up in calculating Directories). Apart from that, other scan results are included.
Kernel Callback too shows up 2 unknown handlers, but it isn't locating any file.

Regards,
Kiskav
Attachments
RKU LOG
(117.42 KiB) Downloaded 32 times
 #3987  by EP_X0FF
 Tue Dec 14, 2010 3:53 am
Hello,

1. Uninstall McAfee because it produces massive rootkit activity, reboot
2. Turn on filtering of .NET modules in RKU (goto Setup->Exclude .NET module)
3. Rescan with RKU
4. Install McAfee back

Regards.

Thread moved to Tools/Software forum.
 #3998  by kiskav
 Wed Dec 15, 2010 1:38 am
Hi EP,

Here is the New log collected post performing what you've said..

Not sure what this is referring to..
0x85E816C6 Unknown page with executable code, 2362 bytes
0x85E834F7 Unknown page with executable code, 2825 bytes
0x85E7E3BD Unknown page with executable code, 3139 bytes
0x85E7D28A Unknown page with executable code, 3446 bytes
0x85E8258D Unknown thread object [ ETHREAD 0x85FF1568 ] TID: 248, 600 bytes
0x85E83876 Unknown thread object [ ETHREAD 0x85FF5D48 ] TID: 252, 600 bytes
0x85E815FB Unknown thread object [ ETHREAD 0x86168648 ] , 600 bytes
0x05E80000 Hidden Image-->ESCliWicMDRW.esx [ EPROCESS 0x878EAD40 ] PID: 4164, 765952 bytes
0x05BF0000 Hidden Image-->ESCliFacebookAPI.esx [ EPROCESS 0x878EAD40 ] PID: 4164, 823296 bytes
Complete log is below.

Thanks
Kiskav
Attachments
(38.18 KiB) Downloaded 30 times
 #3999  by EP_X0FF
 Wed Dec 15, 2010 3:19 am
They all looks like false positives, first few caused by Windows itself.

ESCliWicMDRW
ESCliFacebookAPI

is something related to Kodak. If you know these files then log is ok.