Do I have rootkits (gmer log)

~removed HJT log as per this Announcement....Bubba~

Hello all!

I decided to run a gmer, after seeing being recommended alot here. It produced the following log: http://maniacmansion.dk/gmerlog.txt

Apart from all the Outpost hookers theres alot of these IRP_MJ_CREATE. Did some googling on those but I can't figure out if it is indeed some rootkit or not =/

I run NOD32 2.7, Outpost (584) for resident, and spybot, spysweeper etc. on demand.

Any help will be greatly appreciated.

 

I am not sure about gmers detections, the kernel texts are questionable,

I also see things like this

.text ntkrnlpa.exe!ZwCallbackReturn + 23E8 805010EC 8 Bytes [ 20, 31, BB, EB, F0, 37, BB, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23FC 80501100 8 Bytes [ B0, BD, BA, EB, 25, E5, 40, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2424
80501128 8 Bytes [ 80, AF, BA, EB, 62, DD, 40, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 262C 80501330 8 Bytes [ 68, CB, FC, 86, C0, F2, BA, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2668

BUt if it is a real danger, I doubt a bit.

 

Ill try to run Ice sword, also I'm not sure if I'm running the latest version om gmer (nov 28 the exe file says).

 

Just out of curiosity, do you have MJ Registry Watcher installed?

 

No =)

I'm still scanning, been trying several rootkit scanners now. Each finds something different
Edit: Blacklight didn't find anything.

 

If you have NVIDIA then nwiz.exe should be ok, if not it could be a trojan.

Did you install all those Poker and Casino and betting items ?

I see you have also been using rootkit revealer, can you post a link to the log.


StevieO

 

Did any one Google ntkrnlpa.exe. It looks like it could be bad.

 

I can try rootkit revealer again, it crashed when i tried to save the log. Yeah I've installed some of those poker/casinos (I play a little poker etc. from time to time) Alot of them are prolly filled with crap, I'll have to check that also. And yes, I have nvidia stuff running.

 

Check this out, pwr- looks like the "MJ" stuff's ok
http://msdn2.microsoft.com/en-us/library/ms795806.aspx

 

Thanks and sorry for not replying, I've been having a nasty flu. I'll try for the third time to post a RKR log (it crashed when I try to save the log (says the location im browsing isn't connected or something)).

 

'Do I have rootkits?'

Is there anything abnormally different about the normal running of the machine to make you believe so?

Look at your connections.
Investigate your traffic.

Use IceSword looking for red entries and note them.
Check Processes and note the file and folder names...red = hidden processes.
Check Win32 Services and note any red services...red = rooted service.
Check SSDT and note red file and folder names...rootkits alter the SDT entries to hook the APIs natively.
Note. SSDT hooks are not necessary rootkit specific.

 

.text ntkrnlpa.exe!ZwCallbackReturn + 23E8 805010EC 8 Bytes [ 20, 31, BB, EB, F0, 37, BB, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23FC 80501100 8 Bytes [ B0, BD, BA, EB, 25, E5, 40, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2424
80501128 8 Bytes [ 80, AF, BA, EB, 62, DD, 40, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 262C 80501330 8 Bytes [ 68, CB, FC, 86, C0, F2, BA, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2668

offtopic:
Oh, my good - 23FC it is more than 9 Kb of code. If that called hook detection then I do not know what is the hook.

All others hooks in GMER log - Spy Sweeper/Agnitum hooks.
Anything else in GMER log are totally useless.

 

Oh my good indeed! I'll try a screenshot of RKR then since it keeps crashing. I'll try to look for what you mentioned Meriadoc.

 

Hello,
Instead of playing with tools that are so incredible ambiguous and difficult to understand, why not pop a Linux / BartPE live CD into the tray, reboot and then examine the contents of the hard drive? That's the first place to start with potential rootkit infections. Inspecting a system from within is tricky. Like trying to see what color is the sky from outside (the other side, not the blue one).
Mrk

 

Interesting thought. I'll check that out for sure =)

 

@pwr

Your log looks clean.

I would add only one thing:
sptd.sys is Alcohol or Daemon Tools driver which is responsible for a lot of \Device\* hooks.

http://blogs.technet.com/markrussin...kits-to-defeat-digital-rights-management.aspx

Regards

 

gmer yes it appears so, as I do have Daemon installed. Thanks for replying =)

 

Mrkvonic ever heard from user mode rootkits? Your linux stuff won´t help,
ever heard from hardware based and flashed stuff, linux won´t help.
Ever heard from stream based rootkits??

So your easy thoughts are too easy, oldsdchool rootkits should be found with your tips but nothing more, just for info.

So Gmer maybe you can explain the sense of this info:
.text ntkrnlpa.exe!ZwCallbackReturn

 

Hello,
User mode rootkits, will help.
Hardware-based rootkits - science fiction.
Stream-based rootkits - science fiction.
Mrk

 

If I find the time I will show you infos about file infectors that survive reformatting hds and other stuff like your linux boot cd.

 

Hello,
Sure do. Reformatting is one thing. Deleting partition table is another.
Besides, file surviving reformat is hardly undetectable, undefeatable rootkits.
Registry is useless when you delete the partitions.
Mrk

 

Hi SystemJunkie.

Of course, this is to much information and I will expand my whitelist.
Windows kernel code sections has a few "live" places where the code is different in the memory and in the file.

You can show all of differences when you tick only "Sections + Show all" >> Scan

Maybe GMER shows to much but believe me somethimes it's only way. I'm very glad to hear your comments.

On expample and question: is it malware or not ( nothing is hidden ) ?

Code:

GMER 1.0.12.11860 - http://www.gmer.net
Rootkit scan 2006-10-29 22:42:17
Windows 5.1.2600 Dodatek Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

PAGE    ntoskrnl.exe!ZwOpenKey                                  805614D5 10 Bytes  JMP F68A578C \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwQueryValueKey                            805649A8 7 Bytes  JMP F68A57B8 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwCreateKey                                80568063 10 Bytes  JMP F68A5766 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwSetValueKey                              8056E527 7 Bytes  JMP F68A5834 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwTerminateThread                          8057797C 6 Bytes  JMP F68A5896 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwCreateThread                             80578262 7 Bytes  JMP F68A58AC \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwEnumerateValueKey                        805791FE 7 Bytes  JMP F68A57DC \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwTerminateProcess                         80583E1E 8 Bytes  JMP F68A5880 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwDeleteValueKey                           80590430 7 Bytes  JMP F68A5858 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwDeleteKey                                805966BD 7 Bytes  JMP F68A586E \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!NtSetSecurityObject                        80596B78 8 Bytes  JMP F68A58D6 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwSetSystemInformation                     8059E110 10 Bytes  JMP F68A58F0 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!FsRtlCopyWrite                             8060A476 7 Bytes  JMP F689E8DA \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwRestoreKey                               806453B0 6 Bytes  JMP F68A581A \SystemRoot\System32\DRIVERS\driver.sys
PAGE    ntoskrnl.exe!ZwReplaceKey                               80646892 8 Bytes  JMP F68A5800 \SystemRoot\System32\DRIVERS\driver.sys
.text   Ntfs.sys                                                F98B2BCA 7 Bytes  JMP F689E820 \SystemRoot\System32\DRIVERS\driver.sys
.text   Ntfs.sys                                                F98B4A58 7 Bytes  JMP F689E85E \SystemRoot\System32\DRIVERS\driver.sys
PAGE    Ntfs.sys                                                F98D6320 7 Bytes  JMP F689E7E2 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    Ntfs.sys                                                F98D6E37 10 Bytes  JMP F689E7A4 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    Ntfs.sys                                                F98DD097 7 Bytes  JMP F689E8DA \SystemRoot\System32\DRIVERS\driver.sys
.text   Fastfat.SYS                                             F8056AED 7 Bytes  JMP F689E820 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    Fastfat.SYS                                             F805A7C8 7 Bytes  JMP F689E7E2 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    Fastfat.SYS                                             F805DC8A 7 Bytes  JMP F689E7A4 \SystemRoot\System32\DRIVERS\driver.sys
PAGE    Fastfat.SYS                                             F8064821 7 Bytes  JMP F689E85E \SystemRoot\System32\DRIVERS\driver.sys

---- Devices - GMER 1.0.12 ----

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE                    [F689E396] driver.sys
Device  \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE                     [F689E3EE] driver.sys
Device  \FileSystem\Ntfs \Ntfs IRP_MJ_READ                      [F689E4F6] driver.sys
Device  \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE                     [F689E49E] driver.sys
Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION           [F689E446] driver.sys
Device  \FileSystem\Ntfs \Ntfs FastIoRead                       [F689E5CC] driver.sys
Device  \FileSystem\Ntfs \Ntfs FastIoWrite                      [F689E54E] driver.sys
Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE             [F689E396] driver.sys
Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE              [F689E3EE] driver.sys
Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_READ               [F689E4F6] driver.sys
Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE              [F689E49E] driver.sys
Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION    [F689E446] driver.sys
Device  \FileSystem\Fastfat \FatCdrom FastIoRead                [F689E5CC] driver.sys
Device  \FileSystem\Fastfat \FatCdrom FastIoWrite               [F689E54E] driver.sys
Device  \FileSystem\Fastfat \Fat IRP_MJ_CREATE                  [F689E396] driver.sys
Device  \FileSystem\Fastfat \Fat IRP_MJ_CLOSE                   [F689E3EE] driver.sys
Device  \FileSystem\Fastfat \Fat IRP_MJ_READ                    [F689E4F6] driver.sys
Device  \FileSystem\Fastfat \Fat IRP_MJ_WRITE                   [F689E49E] driver.sys
Device  \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION         [F689E446] driver.sys
Device  \FileSystem\Fastfat \Fat FastIoRead                     [F689E5CC] driver.sys
Device  \FileSystem\Fastfat \Fat FastIoWrite                    [F689E54E] driver.sys

---- EOF - GMER 1.0.12 ----

 

Drivers.sys is related to hxdef rootkit isn´t it?

I have no problem with that many informations of Gmer, the only problem is that the analysis can lead to hours of forensic analysis and paranoia.

Maybe a good idea would be a kind of threat rating, similar to antispy tools.
If further investigations would be useful or not.

And very important you should give user a opportunity to save Gmer Rootkit logs to notepad or .txt save possibility! Otherwise I always have to make hundreds of screenshots of the Gmer scan results.

Could this be considered as Rustock variant?
http://i12.tinypic.com/46z8wgw.png

Beside I appreciate Gmer very much, hopefully it gets more user log abilities like mentioned above.

 

"Hardware-based rootkits - science fiction" depends on the context. In this context yes. If you mean "covert embedded functionality" then very very real. I cannot say anything else on this.

 

It's not related to hxdef, it's kind of kernel mode "protector" of malware.

It's an idea, but, believe me, that nowdays so many AV products uses "rootkit" technology that it would probably generate many false alarms.

Please read the FAQ - just use Copy button.

I don't think so. Default GMER shows up to 10 ADStreams and all hidden ( i.e. Rustock ). To show all ADS tick only Files + NTFS Drive + ADS + Show all.