Amazingly-coded rootkit?!

Discussion in 'malware problems & news' started by Paranoid, Mar 14, 2005.

Thread Status:
Not open for further replies.
  1. Paranoid

    Paranoid Guest

    Hi all. I've recently contracted what I found out to be W32.Mazocker.A(taken from CA's definition), a trojan that is stealthed. If you read their description, it would indicate that this trojan spits out some tmp*.tmp files. These files, on average, are the size of about .5 gigs each, and are churned out as fast as possible when I boot up my computer. It disables my Sygate firewall as well as Norton AV on bootup. As mentioned, the trojan is stealthed, and all my attempts to find it so far have come to nought (including looking into the registry at indicated areas). The only indication something was even wrong was the fact that the hard disk was spinning furiously as Norton picked up the files (PWSteal.Trojan, but the analysis seems to be a little off). The Task Manager read 4% ram usage, and the 'busy' lights were -not- blinking.

    Amazing, no?

    Software I've tried: Ad-aware, AntiVir, AVG, RootkitRevealer, TDS-3, HijackThis, a2(a-squared), Bitdefender, and Norton of course. None seem to pick up anything is even remotely amiss. Any ideas? I'm pretty close to reformatting my drive.
     
  2. Paranoid

    Paranoid Guest

    Not even a peep from a famous website? :p
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Honestly, if I thought I had a rootkit on my system, I would format immediatly (making sure to have all security in place before connecting to the internet.) You would want to make sure there are NO traces left.

    First, however, you can try updating TDS-3, going into 'scan options' and putting a check in all options except "Show all NTFS/ADS Streams", then scan in safe mode. If you're still intent on finding it, or do find it and want/need help, try posting a link to this thread in the TDS-3 forum.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would suggest slaving the infected drive off a clean protected system and run a scan with TDS3 and a up-to-date Anti-virus program.

    Hope this helps.

    Let us know how you go...

    Cheers :D
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i'd format too.

    you can try, when you boot up and connect to the internet, before you do anything else open a dos prompt - start>run>cmd>OK then type in netstat -ano and have alook at what is listening and what is established and noting that down along with the port numbers and the PIDs and posting back what you see :)
     
  6. Paranoid

    Paranoid Guest

    Thanks for the prompt reply. I'm running in safe mode now, scanning with the options mentioned earlier. So far the only thing turning up is dual extensions, which are of my own devising. Will try the slaving off bit once I get some time to muck around with the computer. Netstat indicates the TCP ports 135 and 445 are open and listening, as well as their UDP counterparts, among others (1026, 1040, 1142, 1142, 1170, 1133, 1137, 9 on the UDP). Not sure how the trojan did that, but grc.com tells me I'm still covered up so thats good. I configured my router to block all traffic passing through those ports anyway so it shouldn't be a problem. I'll create the link to this thread in the TDS forums once the TDS scan finishes.

    Thanks again.
     
  7. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    did you note down the PIDs too? if so you can have alook at what it is that is using the ports
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Does anything show using ProcessExplorer? Set up the base view to display command line and image path (View>Select Columns; check Image Path and Command Line). Double click on a process and hit the TCP/IP tab to assess port usage.

    Blue
     
  9. Paranoid

    Paranoid Guest

    Oh. From what I saw, everything belonged to either the System process (PID 4, opened the 445 port) or svchost.exe (TCP port 135 as well as everything else.) And no, I'm not running ProcessExplorer. I apparently don't have the options for Image Path/Commandline.
     
  10. Paranoid

    Paranoid Guest

    My bad, I misread that. No, I don't have ProcessExplorer. I might physically disconnect my computer and try running it while the temp files get churned out. Usually takes a while though :p Like 20 seconds to process a mouse click. I'll tell you what I find.
     
  11. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    In and of itself, this is normal behavior. If you have 20 seconds between mouse clicks, try to identify where the PCU cycles are being spent. The default process tree view is probably best for now.

    Blue
     
  12. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Just click on the link to download UnHackme.
    It's very simple to use and you'll know if you're infected or not by usuals rootkits:

    http://www.greatis.com/unhackme.zip


    Nb: Image : AV test with AFXRootkit2005:
     

    Attached Files:

  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  14. doubtya

    doubtya Guest

    Check out F-secure's new Blacklight technology, they do have a timelimited beta availabe for download at their site www.f-secure.com
     
  15. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    If all else fails. You may want to download "kaspersky personal pro" Here's the link. http://www.kaspersky.com/trials?chapter=154373188 It maybe more trouble than it's worth though. You would have to uninstall norton antivirus first.

    If nothing else works. You may just have to reformat. Kaspersky personal pro is supposed to be one of the best at catching trojans. It's trial version is good for, I believe 30 days. Hopefully, Tds3 should catch this. Maybe you can get it configured correctly. If it's not already. Good luck.

    I wouldn't want no stealth trojan on my computer.
     
  16. Paranoid

    Paranoid Guest

  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  18. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Did I miss the part in this thread or the TDS thread where the TDS scan finished and you shared your results :doubt:
     
  19. Paranoid

    Paranoid Guest

    Nah, Bubba, you missed nothing. I don't think TDS has a scan log function, but nothing has turned up (other than dual extensions which I made with full knowledge), if you were wondering :p I'm downloading Kaspersky now. ProcX looks very good. I like it. I ran it with the Trojan active. Still looks like it's successfully hiding, though, since RAM usage is still minimal even though the hard drive is spinning like a top.
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In TDS: after the scanning, in the alerts window at the bottom rightclick on one of the alerts and choose "save to text.
    This Scandump.txt you can past in your next posting.
    But be so kind as to scan with all options checked and worm slider on highr\est sensitivity, all other scanners downed, etc etc and unnecessary programs closed temporary to speed up the scanning and you don't have to wait that long for results.

    Now we're even more interested to have you sending your sample in (address in my sig below) since you know to activate it.
     
  21. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Just make sure that you have it set not to hide 'protected operating system files', you can check this by going into any explorer window (ie "My Computer"), clicking Tools > Folder Options, switching to the "View" tab, and make sure there is not a check in "Hide protected operating system files (recommended)"
     
  22. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    http://www.security.org.sg/code/kproccheck.html

    Have you tried running this one yet? (Sample output from my computer below, using all switches):

    "C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck.exe -p
    KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

    Process list by traversal of ActiveProcessLinks

    4 - System
    112 - explorer.exe
    252 - RioMSC.exe
    260 - wmiprvse.exe --[Zombie]--
    340 - locator.exe
    420 - SnoopFreeSvc.ex
    456 - smss.exe
    512 - svchost.exe
    532 - pgaccount.exe
    568 - csrss.exe
    596 - ups.exe
    628 - winlogon.exe
    712 - services.exe
    732 - lsass.exe
    804 - userinit.exe --[Zombie]--
    868 - mrublaster.exe --[Zombie]--
    920 - svchost.exe
    988 - svchost.exe
    1052 - svchost.exe
    1108 - logonui.exe --[Zombie]--
    1220 - svchost.exe
    1400 - spyblocker.exe
    1404 - spoolsv.exe
    1428 - cmd.exe --[Zombie]--
    1532 - alg.exe
    1540 - mrublaster.exe --[Zombie]--
    1632 - wuauclt.exe --[Zombie]--
    1704 - mainserv.exe
    1712 - opera.exe
    1744 - DCSUserProt.exe
    1772 - eraserl.exe --[Zombie]--
    1784 - ewidoctrl.exe
    1796 - ewidoguard.exe
    1880 - nod32krn.exe
    1892 - nod32kui.exe
    1912 - pctspk.exe
    1972 - PGPServ.exe
    2000 - NWClient.exe
    2028 - imapi.exe --[Zombie]--
    2084 - mrublaster.exe --[Zombie]--
    2092 - gcasServ.exe
    2192 - nwiz.exe --[Zombie]--
    2200 - mrublaster.exe --[Zombie]--
    2228 - gcasDtServ.exe
    2236 - mrublaster.exe --[Zombie]--
    2256 - rundll32.exe --[Zombie]--
    2296 - rkdetector.exe --[Zombie]--
    2336 - mrublaster.exe --[Zombie]--
    2416 - msimn.exe --[Zombie]--
    2540 - regedit.exe --[Zombie]--
    2560 - mrublaster.exe --[Zombie]--
    2620 - mrublaster.exe --[Zombie]--
    2652 - jusched.exe
    2696 - srmclean.exe --[Zombie]--
    2720 - notepad.exe --[Zombie]--
    2728 - SnoopFreeUI.exe
    2788 - TeaTimer.exe
    2820 - mrublaster.exe --[Zombie]--
    2892 - procguard.exe
    2904 - iexplore.exe --[Zombie]--
    2924 - fsbl.exe --[Zombie]--
    2964 - mrublaster.exe --[Zombie]--
    2972 - mrublaster.exe --[Zombie]--
    3036 - hackmon.exe
    3096 - mrublaster.exe --[Zombie]--
    3100 - mrublaster.exe --[Zombie]--
    3108 - KProcCheck.exe
    3124 - cmd.exe
    3224 - mrublaster.exe --[Zombie]--
    3228 - Display.exe --[Zombie]--
    3244 - notepad.exe --[Zombie]--
    3360 - PGPtray.exe
    3428 - ShadowUser.exe
    3472 - MWSnap.exe --[Zombie]--
    3528 - scheduler.exe
    3688 - MWSnap.exe
    3712 - KProcCheck.exe --[Zombie]--
    3752 - apcsystray.exe
    3756 - mrublaster.exe --[Zombie]--
    3768 - RootkitRevealer --[Zombie]--
    3772 - notepad.exe --[Zombie]--
    3788 - notepad.exe --[Zombie]--
    3848 - cookiem.exe
    3912 - rkdetector.exe --[Zombie]--
    3916 - idblasterplus.e
    3988 - sgmain.exe
    3996 - mrublaster.exe --[Zombie]--
    4072 - sgbhp.exe

    Total number of processes = 88

    C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck.exe -s
    KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

    Process list by traversal of KiWaitListHead

    4 - System
    112 - explorer.exe
    420 - SnoopFreeSvc.ex
    532 - pgaccount.exe
    568 - csrss.exe
    628 - winlogon.exe
    712 - services.exe
    732 - lsass.exe
    920 - svchost.exe
    988 - svchost.exe
    1052 - svchost.exe
    1532 - alg.exe
    1704 - mainserv.exe
    1712 - opera.exe
    1744 - DCSUserProt.exe
    1784 - ewidoctrl.exe
    1796 - ewidoguard.exe
    1880 - nod32krn.exe
    1892 - nod32kui.exe
    1972 - PGPServ.exe
    2000 - NWClient.exe
    2092 - gcasServ.exe
    2228 - gcasDtServ.exe
    2788 - TeaTimer.exe
    2892 - procguard.exe
    3124 - cmd.exe
    3360 - PGPtray.exe
    3428 - ShadowUser.exe
    3528 - scheduler.exe
    3752 - apcsystray.exe
    3848 - cookiem.exe
    3916 - idblasterplus.e
    3988 - sgmain.exe
    4072 - sgbhp.exe

    Total number of processes = 34
    NOTE: Under WinXP, this will not show all processes.

    C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck.exe -d
    KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

    Driver/Module list by traversal of PsLoadedModuleList

    804D7000 - \WINDOWS\system32\ntoskrnl.exe
    806EC000 - \WINDOWS\system32\hal.dll
    F7B2D000 - \WINDOWS\system32\KDCOM.DLL
    F7A3D000 - \WINDOWS\system32\BOOTVID.dll
    F7A41000 - SnopFree.sys
    F75DE000 - ACPI.sys
    F7B2F000 - \WINDOWS\System32\DRIVERS\WMILIB.SYS
    F75CD000 - pci.sys
    F762D000 - isapnp.sys
    F763D000 - ohci1394.sys
    F764D000 - \WINDOWS\System32\DRIVERS\1394BUS.SYS
    F7A45000 - compbatt.sys
    F7A49000 - \WINDOWS\System32\DRIVERS\BATTC.SYS
    F7B31000 - viaide.sys
    F78AD000 - \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    F765D000 - MountMgr.sys
    F75AE000 - ftdisk.sys
    F7B33000 - dmload.sys
    F7588000 - dmio.sys
    F78B5000 - PartMgr.sys
    F766D000 - VolSnap.sys
    F7570000 - atapi.sys
    F767D000 - disk.sys
    F768D000 - \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    F7551000 - fltmgr.sys
    F7535000 - Shadow.sys
    F751E000 - KSecDD.sys
    F7491000 - Ntfs.sys
    F7464000 - NDIS.sys
    F769D000 - vvoice.sys
    F7402000 - vpctcom.sys
    F736E000 - vmodem.sys
    F7353000 - Mup.sys
    F76AD000 - amdagp.sys
    F76DD000 - \SystemRoot\System32\DRIVERS\processr.sys
    F713B000 - \SystemRoot\System32\DRIVERS\nv4_mini.sys
    F7127000 - \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    F76ED000 - \SystemRoot\System32\DRIVERS\nic1394.sys
    F76FD000 - \SystemRoot\system32\drivers\es1371mp.sys
    F7103000 - \SystemRoot\system32\drivers\portcls.sys
    F770D000 - \SystemRoot\system32\drivers\drmk.sys
    F70E0000 - \SystemRoot\system32\drivers\ks.sys
    F78ED000 - \SystemRoot\System32\DRIVERS\SMC1211.SYS
    F70C4000 - \SystemRoot\System32\DRIVERS\ptserlp.sys
    F78FD000 - \SystemRoot\System32\Drivers\Modem.SYS
    F70B0000 - \SystemRoot\System32\DRIVERS\parport.sys
    F771D000 - \SystemRoot\System32\DRIVERS\serial.sys
    F7AE1000 - \SystemRoot\System32\DRIVERS\serenum.sys
    F7915000 - \SystemRoot\System32\DRIVERS\fdc.sys
    F772D000 - \SystemRoot\System32\DRIVERS\i8042prt.sys
    F791D000 - \SystemRoot\System32\DRIVERS\mouclass.sys
    F773D000 - \SystemRoot\System32\Drivers\PGPsdk.sys
    F7925000 - \SystemRoot\System32\DRIVERS\kbdclass.sys
    F7935000 - \SystemRoot\System32\Drivers\MxlW2k.SYS
    F774D000 - \SystemRoot\System32\DRIVERS\cdrom.sys
    F775D000 - \SystemRoot\System32\DRIVERS\imapi.sys
    F776D000 - \SystemRoot\System32\DRIVERS\redbook.sys
    F794D000 - \SystemRoot\System32\DRIVERS\usbuhci.sys
    F6FED000 - \SystemRoot\System32\DRIVERS\USBPORT.SYS
    F7C9B000 - \SystemRoot\System32\DRIVERS\audstub.sys
    F777D000 - \SystemRoot\System32\DRIVERS\rasl2tp.sys
    F7AF5000 - \SystemRoot\System32\DRIVERS\ndistapi.sys
    F6FD6000 - \SystemRoot\System32\DRIVERS\ndiswan.sys
    F778D000 - \SystemRoot\System32\DRIVERS\raspppoe.sys
    F779D000 - \SystemRoot\System32\DRIVERS\raspptp.sys
    F796D000 - \SystemRoot\System32\DRIVERS\TDI.SYS
    F6FC5000 - \SystemRoot\System32\DRIVERS\psched.sys
    F77AD000 - \SystemRoot\System32\DRIVERS\msgpc.sys
    F797D000 - \SystemRoot\System32\DRIVERS\ptilink.sys
    F798D000 - \SystemRoot\System32\DRIVERS\raspti.sys
    F6F6C000 - \SystemRoot\System32\DRIVERS\rdpdr.sys
    F77BD000 - \SystemRoot\System32\DRIVERS\termdd.sys
    F7B3B000 - \SystemRoot\System32\DRIVERS\swenum.sys
    F6F38000 - \SystemRoot\System32\DRIVERS\update.sys
    F7B19000 - \SystemRoot\System32\DRIVERS\mssmbios.sys
    F77CD000 - \SystemRoot\System32\DRIVERS\usbhub.sys
    F7B3F000 - \SystemRoot\System32\DRIVERS\USBD.SYS
    F77DD000 - \SystemRoot\System32\Drivers\NDProxy.SYS
    F7317000 - \SystemRoot\System32\DRIVERS\gameenum.sys
    F799D000 - \SystemRoot\System32\DRIVERS\flpydisk.sys
    F7B49000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS
    F7C20000 - \SystemRoot\System32\Drivers\Null.SYS
    F7B4D000 - \SystemRoot\System32\Drivers\Beep.SYS
    F79BD000 - \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    F79C5000 - \SystemRoot\System32\drivers\vga.sys
    F7B51000 - \SystemRoot\System32\Drivers\mnmdd.SYS
    F7B55000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys
    F79D5000 - \SystemRoot\System32\Drivers\Msfs.SYS
    F79E5000 - \SystemRoot\System32\Drivers\Npfs.SYS
    F7ACD000 - \SystemRoot\System32\DRIVERS\rasacd.sys
    F5DDD000 - \SystemRoot\System32\DRIVERS\ipsec.sys
    F5D85000 - \SystemRoot\System32\DRIVERS\tcpip.sys
    F7ADD000 - \SystemRoot\System32\drivers\ws2ifsl.sys
    F5D64000 - \SystemRoot\System32\DRIVERS\ipnat.sys
    F77FD000 - \SystemRoot\System32\DRIVERS\wanarp.sys
    F5D42000 - \SystemRoot\System32\drivers\afd.sys
    F780D000 - \SystemRoot\System32\DRIVERS\arp1394.sys
    F781D000 - \SystemRoot\System32\DRIVERS\netbios.sys
    F5C77000 - \SystemRoot\System32\DRIVERS\rdbss.sys
    F5C08000 - \SystemRoot\System32\DRIVERS\mrxsmb.sys
    F782D000 - \SystemRoot\System32\Drivers\Fips.SYS
    F7C45000 - \??\C:\Program Files\ewido\security suite\guard.sys
    F7AFD000 - \SystemRoot\System32\DRIVERS\hidusb.sys
    F783D000 - \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    F7C49000 - \SystemRoot\System32\Drivers\BANTExt.sys
    F785D000 - \SystemRoot\System32\Drivers\Cdfs.SYS
    F7A1D000 - \SystemRoot\System32\DRIVERS\usbccgp.sys
    F6FA5000 - \SystemRoot\System32\Drivers\SMCLIB.SYS
    F6FA1000 - \SystemRoot\System32\DRIVERS\kbdhid.sys
    F5BC8000 - \SystemRoot\System32\Drivers\dump_atapi.sys
    F7B5B000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    BF800000 - \SystemRoot\System32\win32k.sys
    F78CD000 - \SystemRoot\System32\watchdog.sys
    F6F1C000 - \SystemRoot\System32\drivers\Dxapi.sys
    BF9C1000 - \SystemRoot\System32\drivers\dxg.sys
    F7CF6000 - \SystemRoot\System32\drivers\dxgthk.sys
    BF9D3000 - \SystemRoot\System32\nv4_disp.dll
    F4B53000 - \??\C:\WINDOWS\system32\Drivers\truecrypt.sys
    F4A3B000 - \SystemRoot\System32\DRIVERS\netbt.sys
    F7CEE000 - \??\C:\WINDOWS\System32\socketlock.sys
    F4B93000 - \SystemRoot\System32\DRIVERS\ndisuio.sys
    F40F6000 - \SystemRoot\System32\DRIVERS\mrxdav.sys
    F7BB7000 - \SystemRoot\System32\Drivers\ParVdm.SYS
    F40A4000 - \SystemRoot\System32\Drivers\PGPdisk.SYS
    F405B000 - \??\C:\WINDOWS\System32\drivers\amon.sys
    F3E78000 - \SystemRoot\System32\DRIVERS\srv.sys
    F7905000 - \??\C:\WINDOWS\system32\drivers\procguard.sys
    F3AF3000 - \SystemRoot\system32\drivers\wdmaud.sys
    F4AAB000 - \SystemRoot\system32\drivers\sysaudio.sys
    F7CB9000 - \??\C:\WINDOWS\system32\Drivers\RKREVEAL110.SYS
    F2F60000 - \SystemRoot\system32\drivers\kmixer.sys
    F7D52000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys

    Total number of drivers = 132

    C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KprocCheck -t
    KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

    Checks SDT for Hooked Native APIs

    KeServiceDescriptorTable 80559B80
    KeServiceDescriptorTable.ServiceTable 804E2D20
    KeServiceDescriptorTable.ServiceLimit 284

    ZwCreateFile 25 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908C90]
    ZwCreateKey 29 \??\C:\WINDOWS\system32\drivers\procguard.sys [F790772C]
    ZwCreateProcessEx 30 SnopFree.sys [F7A419E4]
    ZwCreateSymbolicLinkObject 34 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908356]
    ZwCreateThread 35 \??\C:\WINDOWS\system32\drivers\procguard.sys [F79086C6]
    ZwFsControlFile 54 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908DDA]
    ZwOpenFile 74 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908AD8]
    ZwOpenKey 77 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7907682]
    ZwOpenProcess 7A \??\C:\Program Files\ewido\security suite\guard.sys [F7C4568C]
    ZwOpenSection 7D \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908190]
    ZwProtectVirtualMemory 89 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908104]
    ZwReadVirtualMemory BA \??\C:\WINDOWS\system32\drivers\procguard.sys [F79080D0]
    ZwRequestWaitReplyPort C8 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7905CE2]
    ZwSetContextThread D5 \??\C:\WINDOWS\system32\drivers\procguard.sys [F79089DE]
    ZwSetSystemInformation F0 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7909550]
    ZwSetValueKey F7 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7907ABE]
    ZwSuspendProcess FD \??\C:\WINDOWS\system32\drivers\procguard.sys [F790813C]
    ZwSuspendThread FE \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908A32]
    ZwTerminateProcess 101 \??\C:\WINDOWS\system32\drivers\procguard.sys [F79080A6]
    ZwTerminateThread 102 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908A08]
    ZwWriteVirtualMemory 115 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7907FCA]

    Number of Service Table entries hooked = 21

    C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KprocCheck -g
    KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

    Checks Shadow SDT for Hooked Native GDI APIs

    KeServiceDescriptorTableShadow 80559B40
    KeServiceDescriptorTableShadow.SDE[1].ServiceTable BF997600
    KeServiceDescriptorTableShadow.SDE[1].ServiceLimit 667

    Entry 7 Hooked - snopfree.sys [F7A41E85]
    Entry D Hooked - snopfree.sys [F7A41E01]
    Entry BF Hooked - snopfree.sys [F7A41F13]
    Entry E9 Hooked - snopfree.sys [F7A41EBC]
    Entry 124 Hooked - snopfree.sys [F7A41E43]
    Entry 17F Hooked - snopfree.sys [F7A41F46]
    Entry 1CC Hooked - snopfree.sys [F7A41DA8]
    Entry 1DD Hooked - snopfree.sys [F7A41FC6]
    Entry 225 Hooked - \??\C:\WINDOWS\system32\drivers\procguard.sys [F79093EC]

    Number of GDI Service Table entries hooked = 9

    C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck -u
    KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

    Support driver successfully unloaded."

    Looking at the results of mine, can you see anywhere in that info anything that is likely to help you in what you're looking for at the moment? Pete
     
  23. Paranoid

    Paranoid Registered Member

    Joined:
    Mar 18, 2005
    Posts:
    9
    Location:
    Melbourne, Australia
    So I got some time today, and I ran a few tests using the software mentioned here, both in safe mode and in normal startup (which activates the trojan, naturally). I've taken screenies where possible, since I'm not an expert at system processes and will need your help distinguishing what's what.

    Some things to note:
    • In safe mode I run on minimal (msconfig's /safeboot) settings.
    • KProcCheck cannot run (kernel support driver not loaded or somesuch) in safe mode.
    • Kaspersky cannot be installed in either startup mode (unable to install InstallShield Scripting Runtime), but I think this might be due to me having installed other AVs. I'll look this one up.
    • Process Explorer 'does not have debug privileges and runs with reduced capabilities' in safe mode.
    • Nprotect still dies on normal startup, but surprisingly can still function (it still detects the tmp files).
    • UnHackMe finds nothing in both modes.
    • Antivir finds nothing in safe mode, did not run in normal (would've taken a matter of days at the rate it was scanning :p)
    • A-squared finds nothing in safe mode.

    The following replies contain screenies for ProcX and Process Explorer for both modes except KProcCheck, since it doesn't work in Safe Mode, and TDS (too long as well). The .rar attached has the TDS and HijackThis logs (change extension back to .rar before unzipping, naturally). Please take a look and tell me what you think. Thanks again.

    PS. One last thing. I think we must deduce that the securers.dll file is actually STILL running even in safe mode, since none of the associated bad files are showing up. This is creepy.
     

    Attached Files:

  24. Paranoid

    Paranoid Registered Member

    Joined:
    Mar 18, 2005
    Posts:
    9
    Location:
    Melbourne, Australia
    ProcX in Safe Mode

    Pretty bare here...
     

    Attached Files:

  25. Paranoid

    Paranoid Registered Member

    Joined:
    Mar 18, 2005
    Posts:
    9
    Location:
    Melbourne, Australia
    In normal startup, I have the Google Mail notifier, Sygate firewall, a custom skinning software package (ObjectBar and gang), an IP Filter (Protowall) and a HTTP Proxy (Proxomitron) running... so I can tell you about some of the files if they look suspicious.
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.