ACPI Rootkit finally a tool who discovered it!

Discussion in 'malware problems & news' started by SystemJunkie, Jun 27, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Using Gmer function show all =>

    http://i4.tinypic.com/15x7m8p.gif

    Does that mean that it shows all device drivers or all rootkits?

    Gmer crashes because it´s to much.. (ignore the thread topic it was a assumption)
     
    Last edited: Jun 27, 2006
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Thanks for links StevieO! The rkunhooker viewer shows nothing special, all such stuff can be found with IceSword or gmer.

    Actually Explorer.exe shows an open Port that vary, it´s a UDP Port 1321,
    sometimes UDP 1026, 1027.. but I see no special or dangerous dll, crazy isn´t it?

    A string extraction cut of explorer.exe :
    cys.exe
    SOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWiz
    CYSMustRun
    install.exe
    -embedding
    SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel
    OriginalDPI
    OUTLOOK.EXE
    explorer.exe,16
    WordMail
    ,RunOnceExProcess
    iernonce.dll
    Shell Startup: Stop
    Shell Startup: Start
    WININET.DLL
    System\Setup <<<<<<<<<<<<<<<<<<<<<<<<<
    AuditinProgress
    UpdateURL
    WindowsUpdate
    HWND%x
    VisualEffects
    Software\Microsoft\Windows\CurrentVersion\OemStartMenuData
    DoDesktopCleanup
    fldrclnr.dll,Wizard_RunDLL
    iexplore.exe
    shell\open\command
    winbrand.dll
    RogueProgramName <<<<<<<<<<<<<<<<<<<<<<<<<< is this usual? Why Rogue?
    _DelayedBootStuff
    _SyncThreadProc
    TrayNotifyHorizOpen
    TrayNotifyVertOpen
    Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
    Software\Clients
    ShowInfoTip
    jjh
    xpsp2res.dll
    shell32.dll
    nusrmgr.cpl ,initialTask=ChangePicture
    WindowMetrics
    UseDialog
    NewExeName
    rundll32.exe
    StartMenuLogoff
    Advanced
    TaskBandVert
    TraySettings
    Windows
    TaskbarVert
    ediskeer.dll
    IEFrame

    Some Microsoft Dlls are without a description, is this usual?
    explorer.exe
    C:\WINDOWS\system32\oleaut32.dll 5.01.2600.2180 04.08.2004 14:00
    C:\WINDOWS\system32\clbcatq.dll 2001.12.4414.0308 26.07.2005 06:39
    C:\WINDOWS\system32\comres.dll 2001.12.4414.0258 04.08.2004 14:00
    C:\WINDOWS\system32\olepro32.dll 5.01.2600.2180 04.08.2004 14:00

    winlogon.exe
    C:\WINDOWS\inf\syssetup.PNF / 26.10.2005 17:11
    C:\WINDOWS\system32\clbcatq.dll 2001.12.4414.0308 26.07.2005 06:39
    C:\WINDOWS\system32\comres.dll 2001.12.4414.0258 04.08.2004 14:00
    C:\WINDOWS\system32\oleaut32.dll 5.01.2600.2180 04.08.2004 14:00
     
    Last edited: Jul 2, 2006
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    the strings you mention look normal
     
    Last edited: Jul 4, 2006
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Just about anytime something opens a port, the local port is going to be pretty much random, and, as noted, acpi.sys is a critical system file...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.