Rootkit, Daemon Tools weirdness or paranoia?

Discussion in 'malware problems & news' started by Piri_Thomas, Oct 7, 2007.

Thread Status:
Not open for further replies.
  1. Piri_Thomas
    Offline

    Piri_Thomas Registered Member

    Hi everyone, I'm currently wondering if I have a rootkit on my system or if I'm seeing things in clouds. Long story made long, I came to my system earlier to notice that my firewall (Sygate) was closed. I did not remember closing it, so I restarted it - and, just in case, decided to scan the system with an online scanner (my antivirus monitor, Avira, was active all the time). I opened the browser and tried to connect to Kaspersky's online scanner... and then my network just died, instantly. Connections didn't work at all. I started suspecting the worst ("someone killed my firewall and then my net when he saw me open Kaspersky's address"), I restarted, used a snapshot created by FirstDefenseISR, booted into Windows' "last known good configuration" and started scanning system with Avira, online Bitdefender, online F-Secure, Rootkit Revealer, Sophos AntiRootkit, Panda's online Nanoscan, Prevx CSI, McAfee's Stinger, MS AntiMalware. Nothing was found. For a good measure, I booted into safe mode to try a rootkit scanner there - and found out that the ones I had (Revealer, Blacklight, Avira Rootkit Scan Beta) don't seem to work in safe mode :\ - they either won't run or cause errors. (Or they expired - that's Blacklight!) But I ran IceSword in safe mode and saw something weird. Here's the log:

    Kernel Module:
    \WINDOWS\system32\DRIVERS\1394BUS.SYS
    ACPI.sys
    \WINDOWS\system32\BOOTVID.dll
    \SystemRoot\System32\Drivers\Beep.SYS
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\System32\Drivers\IsDrv122.sys
    \WINDOWS\system32\KDCOM.DLL
    KSecDD.sys
    \SystemRoot\system32\DRIVERS\L8042mou.Sys
    \SystemRoot\system32\DRIVERS\LMouKE.Sys
    MountMgr.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    Mup.sys
    NDIS.sys
    \SystemRoot\System32\Drivers\Npfs.SYS
    Ntfs.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    PartMgr.sys
    \WINDOWS\System32\Drivers\SCSIPORT.SYS
    Teefer.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    VolSnap.sys
    \WINDOWS\System32\Drivers\WMILIB.SYS
    \SystemRoot\System32\Drivers\ajmgz8bs.SYS
    atapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \Program Files\DAEMON Tools\daemon.dll
    disk.sys
    dmio.sys
    dmload.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\system32\DRIVERS\fdc.sys
    \SystemRoot\system32\DRIVERS\flpydisk.sys
    fltMgr.sys
    \SystemRoot\System32\framebuf.dll
    ftdisk.sys
    \WINDOWS\system32\hal.dll
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    intelide.sys
    isapnp.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \WINDOWS\system32\ntdll.dll
    \WINDOWS\system32\ntoskrnl.exe
    ohci1394.sys
    pci.sys
    pciide.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    sptd.sys
    sr.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\usbprint.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\win32k.sys


    This puzzled me:
    \SystemRoot\System32\Drivers\ajmgz8bs.SYS

    The file was not there at all. But I tried creating an empty file named ajmgz8bs.SYS and copy it into windows\system32\drivers\ - and saw "Access denied". The empty file wouldn't copy into the \drivers\ dir. Well, that looked like a rootkit hiding itself to me - so after a few tries I found out that the driver's name was apparently randomly created on each bootup (every time I saw it, it began with an A) and the driver was present in both safe mode and normal mode.

    But then I found out that when you skip the sptd.sys driver in safe mode or normal, the weird nonexistent "driver" will not show up in Ice Sword. Sptd.sys is a driver installed by Daemon Tools for drive emulation purposes, so it would seem that the strangely named driver is something like a virtual driver that it makes for its own use? I also found the weirdly named file on another computer where Daemons were installed.

    I still am a bit concerned, though, about that shutdown of Sygate and the "death" of the network. (How would you grade Sygate, by the way? I am behind a router, so I just wanted a small basic firewall and decided to go with Sygate after reading reviews) Are there any other symptoms of potential infection that I should be looking for? I am not showing any outgoing or incoming packets (would it be possible for a rootkit to conceal them? I've been checking them with TCPview and Sygate's own monitor - is there something more powerful worth recommending?), Ice Sword is not showing anything weird other than the awkwardly named driver, there is no disk activity and Filemon shows only normal accesses to files... so am I being paranoid or should I dig further, but with other methods and tools?

    TIA!
  2. fcukdat
    Offline

    fcukdat Registered Member

    Healthy paranoia and examination but you missed out the leading ARK forensic tool from the equation(RootKit Unhooker):D

    But FYI you will find the random driver is also created by Daemon tools and thus a legitimate object:thumb:
    Last edited: Oct 7, 2007
  3. lucas1985
    Offline

    lucas1985 Retired Moderator

    Nothing to worry about :)
    Daemon Tools uses rootkit-like techniques to defeat copy protection schemes.
    Wikipedia
  4. Cerxes
    Offline

    Cerxes Registered Member

    If you donĀ“t use Securom 7.x games...

    /C.
Thread Status:
Not open for further replies.