ACPI Rootkit finally a tool who discovered it!

Discussion in 'malware problems & news' started by SystemJunkie, Jun 27, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Using Gmer function show all =>

    http://i4.tinypic.com/15x7m8p.gif

    Does that mean that it shows all device drivers or all rootkits?

    Gmer crashes because it´s to much.. (ignore the thread topic it was a assumption)
     
    Last edited: Jun 27, 2006
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Thanks for links StevieO! The rkunhooker viewer shows nothing special, all such stuff can be found with IceSword or gmer.

    Actually Explorer.exe shows an open Port that vary, it´s a UDP Port 1321,
    sometimes UDP 1026, 1027.. but I see no special or dangerous dll, crazy isn´t it?

    A string extraction cut of explorer.exe :
    cys.exe
    SOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWiz
    CYSMustRun
    install.exe
    -embedding
    SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel
    OriginalDPI
    OUTLOOK.EXE
    explorer.exe,16
    WordMail
    ,RunOnceExProcess
    iernonce.dll
    Shell Startup: Stop
    Shell Startup: Start
    WININET.DLL
    System\Setup <<<<<<<<<<<<<<<<<<<<<<<<<
    AuditinProgress
    UpdateURL
    WindowsUpdate
    HWND%x
    VisualEffects
    Software\Microsoft\Windows\CurrentVersion\OemStartMenuData
    DoDesktopCleanup
    fldrclnr.dll,Wizard_RunDLL
    iexplore.exe
    shell\open\command
    winbrand.dll
    RogueProgramName <<<<<<<<<<<<<<<<<<<<<<<<<< is this usual? Why Rogue?
    _DelayedBootStuff
    _SyncThreadProc
    TrayNotifyHorizOpen
    TrayNotifyVertOpen
    Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
    Software\Clients
    ShowInfoTip
    jjh
    xpsp2res.dll
    shell32.dll
    nusrmgr.cpl ,initialTask=ChangePicture
    WindowMetrics
    UseDialog
    NewExeName
    rundll32.exe
    StartMenuLogoff
    Advanced
    TaskBandVert
    TraySettings
    Windows
    TaskbarVert
    ediskeer.dll
    IEFrame

    Some Microsoft Dlls are without a description, is this usual?
    explorer.exe
    C:\WINDOWS\system32\oleaut32.dll 5.01.2600.2180 04.08.2004 14:00
    C:\WINDOWS\system32\clbcatq.dll 2001.12.4414.0308 26.07.2005 06:39
    C:\WINDOWS\system32\comres.dll 2001.12.4414.0258 04.08.2004 14:00
    C:\WINDOWS\system32\olepro32.dll 5.01.2600.2180 04.08.2004 14:00

    winlogon.exe
    C:\WINDOWS\inf\syssetup.PNF / 26.10.2005 17:11
    C:\WINDOWS\system32\clbcatq.dll 2001.12.4414.0308 26.07.2005 06:39
    C:\WINDOWS\system32\comres.dll 2001.12.4414.0258 04.08.2004 14:00
    C:\WINDOWS\system32\oleaut32.dll 5.01.2600.2180 04.08.2004 14:00
     
    Last edited: Jul 2, 2006
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    the strings you mention look normal
     
    Last edited: Jul 4, 2006
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Just about anytime something opens a port, the local port is going to be pretty much random, and, as noted, acpi.sys is a critical system file...
     
Loading...
Thread Status:
Not open for further replies.