Do I have rootkits (gmer log)

Discussion in 'malware problems & news' started by pwr, Dec 5, 2006.

Thread Status:
Not open for further replies.
  1. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    ~removed HJT log as per this Announcement....Bubba~

    Hello all!

    I decided to run a gmer, after seeing being recommended alot here. It produced the following log: http://maniacmansion.dk/gmerlog.txt

    Apart from all the Outpost hookers theres alot of these IRP_MJ_CREATE. Did some googling on those but I can't figure out if it is indeed some rootkit or not =/

    I run NOD32 2.7, Outpost (584) for resident, and spybot, spysweeper etc. on demand.

    Any help will be greatly appreciated.
     
    Last edited by a moderator: Dec 7, 2006
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I am not sure about gmers detections, the kernel texts are questionable,

    I also see things like this

    .text ntkrnlpa.exe!ZwCallbackReturn + 23E8 805010EC 8 Bytes [ 20, 31, BB, EB, F0, 37, BB, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 23FC 80501100 8 Bytes [ B0, BD, BA, EB, 25, E5, 40, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2424
    80501128 8 Bytes [ 80, AF, BA, EB, 62, DD, 40, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 262C 80501330 8 Bytes [ 68, CB, FC, 86, C0, F2, BA, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2668

    BUt if it is a real danger, I doubt a bit.
     
  3. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    Ill try to run Ice sword, also I'm not sure if I'm running the latest version om gmer (nov 28 the exe file says).
     
  4. MikeH

    MikeH Registered Member

    Joined:
    May 15, 2005
    Posts:
    20
    Just out of curiosity, do you have MJ Registry Watcher installed?
     
  5. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    No =)

    I'm still scanning, been trying several rootkit scanners now. Each finds something different o_O
    Edit: Blacklight didn't find anything.
     
  6. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    If you have NVIDIA then nwiz.exe should be ok, if not it could be a trojan.

    Did you install all those Poker and Casino and betting items ?

    I see you have also been using rootkit revealer, can you post a link to the log.


    StevieO
     
  7. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Did any one Google ntkrnlpa.exe. It looks like it could be bad.
     
  8. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    I can try rootkit revealer again, it crashed when i tried to save the log. Yeah I've installed some of those poker/casinos (I play a little poker etc. from time to time) Alot of them are prolly filled with crap, I'll have to check that also. And yes, I have nvidia stuff running.
     
  9. MikeH

    MikeH Registered Member

    Joined:
    May 15, 2005
    Posts:
    20
  10. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    Thanks and sorry for not replying, I've been having a nasty flu. I'll try for the third time to post a RKR log (it crashed when I try to save the log (says the location im browsing isn't connected or something)).
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    'Do I have rootkits?'

    Is there anything abnormally different about the normal running of the machine to make you believe so?

    Look at your connections.
    Investigate your traffic.

    Use IceSword looking for red entries and note them.
    Check Processes and note the file and folder names...red = hidden processes.
    Check Win32 Services and note any red services...red = rooted service.
    Check SSDT and note red file and folder names...rootkits alter the SDT entries to hook the APIs natively.
    Note. SSDT hooks are not necessary rootkit specific.
     
    Last edited: Dec 7, 2006
  12. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    .text ntkrnlpa.exe!ZwCallbackReturn + 23E8 805010EC 8 Bytes [ 20, 31, BB, EB, F0, 37, BB, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 23FC 80501100 8 Bytes [ B0, BD, BA, EB, 25, E5, 40, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2424
    80501128 8 Bytes [ 80, AF, BA, EB, 62, DD, 40, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 262C 80501330 8 Bytes [ 68, CB, FC, 86, C0, F2, BA, ... ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2668

    offtopic:
    Oh, my good - 23FC it is more than 9 Kb of code. If that called hook detection then I do not know what is the hook.

    All others hooks in GMER log - Spy Sweeper/Agnitum hooks.
    Anything else in GMER log are totally useless.
     
  13. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    Oh my good indeed! I'll try a screenshot of RKR then since it keeps crashing. I'll try to look for what you mentioned Meriadoc.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Instead of playing with tools that are so incredible ambiguous and difficult to understand, why not pop a Linux / BartPE live CD into the tray, reboot and then examine the contents of the hard drive? That's the first place to start with potential rootkit infections. Inspecting a system from within is tricky. Like trying to see what color is the sky from outside (the other side, not the blue one).
    Mrk
     
  15. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    Interesting thought. I'll check that out for sure =)
     
  16. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
  17. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    gmer yes it appears so, as I do have Daemon installed. Thanks for replying =)
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Mrkvonic ever heard from user mode rootkits? Your linux stuff won´t help,
    ever heard from hardware based and flashed stuff, linux won´t help.
    Ever heard from stream based rootkitso_O??

    So your easy thoughts are too easy, oldsdchool rootkits should be found with your tips but nothing more, just for info.

    So Gmer maybe you can explain the sense of this info:
    .text ntkrnlpa.exe!ZwCallbackReturn
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    User mode rootkits, will help.
    Hardware-based rootkits - science fiction.
    Stream-based rootkits - science fiction.
    Mrk
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    If I find the time I will show you infos about file infectors that survive reformatting hds and other stuff like your linux boot cd.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Sure do. Reformatting is one thing. Deleting partition table is another.
    Besides, file surviving reformat is hardly undetectable, undefeatable rootkits.
    Registry is useless when you delete the partitions.
    Mrk
     
  22. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hi SystemJunkie.

    Of course, this is to much information and I will expand my whitelist.
    Windows kernel code sections has a few "live" places where the code is different in the memory and in the file.

    You can show all of differences when you tick only "Sections + Show all" >> Scan

    Maybe GMER shows to much but believe me somethimes it's only way. I'm very glad to hear your comments.

    On expample and question: is it malware or not ( nothing is hidden ) ?

    Code:
    GMER 1.0.12.11860 - http://www.gmer.net
    Rootkit scan 2006-10-29 22:42:17
    Windows 5.1.2600 Dodatek Service Pack 2
    
    ---- Kernel code sections - GMER 1.0.12 ----
    
    PAGE    ntoskrnl.exe!ZwOpenKey                                  805614D5 10 Bytes  JMP F68A578C \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwQueryValueKey                            805649A8 7 Bytes  JMP F68A57B8 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwCreateKey                                80568063 10 Bytes  JMP F68A5766 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwSetValueKey                              8056E527 7 Bytes  JMP F68A5834 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwTerminateThread                          8057797C 6 Bytes  JMP F68A5896 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwCreateThread                             80578262 7 Bytes  JMP F68A58AC \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwEnumerateValueKey                        805791FE 7 Bytes  JMP F68A57DC \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwTerminateProcess                         80583E1E 8 Bytes  JMP F68A5880 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwDeleteValueKey                           80590430 7 Bytes  JMP F68A5858 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwDeleteKey                                805966BD 7 Bytes  JMP F68A586E \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!NtSetSecurityObject                        80596B78 8 Bytes  JMP F68A58D6 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwSetSystemInformation                     8059E110 10 Bytes  JMP F68A58F0 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!FsRtlCopyWrite                             8060A476 7 Bytes  JMP F689E8DA \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwRestoreKey                               806453B0 6 Bytes  JMP F68A581A \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    ntoskrnl.exe!ZwReplaceKey                               80646892 8 Bytes  JMP F68A5800 \SystemRoot\System32\DRIVERS\driver.sys
    .text   Ntfs.sys                                                F98B2BCA 7 Bytes  JMP F689E820 \SystemRoot\System32\DRIVERS\driver.sys
    .text   Ntfs.sys                                                F98B4A58 7 Bytes  JMP F689E85E \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    Ntfs.sys                                                F98D6320 7 Bytes  JMP F689E7E2 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    Ntfs.sys                                                F98D6E37 10 Bytes  JMP F689E7A4 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    Ntfs.sys                                                F98DD097 7 Bytes  JMP F689E8DA \SystemRoot\System32\DRIVERS\driver.sys
    .text   Fastfat.SYS                                             F8056AED 7 Bytes  JMP F689E820 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    Fastfat.SYS                                             F805A7C8 7 Bytes  JMP F689E7E2 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    Fastfat.SYS                                             F805DC8A 7 Bytes  JMP F689E7A4 \SystemRoot\System32\DRIVERS\driver.sys
    PAGE    Fastfat.SYS                                             F8064821 7 Bytes  JMP F689E85E \SystemRoot\System32\DRIVERS\driver.sys
    
    ---- Devices - GMER 1.0.12 ----
    
    Device  \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE                    [F689E396] driver.sys
    Device  \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE                     [F689E3EE] driver.sys
    Device  \FileSystem\Ntfs \Ntfs IRP_MJ_READ                      [F689E4F6] driver.sys
    Device  \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE                     [F689E49E] driver.sys
    Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION           [F689E446] driver.sys
    Device  \FileSystem\Ntfs \Ntfs FastIoRead                       [F689E5CC] driver.sys
    Device  \FileSystem\Ntfs \Ntfs FastIoWrite                      [F689E54E] driver.sys
    Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE             [F689E396] driver.sys
    Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE              [F689E3EE] driver.sys
    Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_READ               [F689E4F6] driver.sys
    Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE              [F689E49E] driver.sys
    Device  \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION    [F689E446] driver.sys
    Device  \FileSystem\Fastfat \FatCdrom FastIoRead                [F689E5CC] driver.sys
    Device  \FileSystem\Fastfat \FatCdrom FastIoWrite               [F689E54E] driver.sys
    Device  \FileSystem\Fastfat \Fat IRP_MJ_CREATE                  [F689E396] driver.sys
    Device  \FileSystem\Fastfat \Fat IRP_MJ_CLOSE                   [F689E3EE] driver.sys
    Device  \FileSystem\Fastfat \Fat IRP_MJ_READ                    [F689E4F6] driver.sys
    Device  \FileSystem\Fastfat \Fat IRP_MJ_WRITE                   [F689E49E] driver.sys
    Device  \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION         [F689E446] driver.sys
    Device  \FileSystem\Fastfat \Fat FastIoRead                     [F689E5CC] driver.sys
    Device  \FileSystem\Fastfat \Fat FastIoWrite                    [F689E54E] driver.sys
    
    ---- EOF - GMER 1.0.12 ----
     
  23. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Drivers.sys is related to hxdef rootkit isn´t it?

    I have no problem with that many informations of Gmer, the only problem is that the analysis can lead to hours of forensic analysis and paranoia.

    Maybe a good idea would be a kind of threat rating, similar to antispy tools.
    If further investigations would be useful or not.

    And very important you should give user a opportunity to save Gmer Rootkit logs to notepad or .txt save possibility! Otherwise I always have to make hundreds of screenshots of the Gmer scan results.

    Could this be considered as Rustock variant?
    http://i12.tinypic.com/46z8wgw.png

    Beside I appreciate Gmer very much, hopefully it gets more user log abilities like mentioned above.
     
  24. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    "Hardware-based rootkits - science fiction" depends on the context. In this context yes. If you mean "covert embedded functionality" :ninja: then very very real. I cannot say anything else on this.
     
  25. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    It's not related to hxdef, it's kind of kernel mode "protector" of malware.

    It's an idea, but, believe me, that nowdays so many AV products uses "rootkit" technology that it would probably generate many false alarms.

    Please read the FAQ - just use Copy button.

    I don't think so. Default GMER shows up to 10 ADStreams and all hidden ( i.e. Rustock ). To show all ADS tick only Files + NTFS Drive + ADS + Show all.
     
Loading...
Thread Status:
Not open for further replies.