Possible rootkit? RootkitRevealer results

Discussion in 'malware problems & news' started by vault, Feb 14, 2007.

Thread Status:
Not open for further replies.
  1. vault

    vault Registered Member

    Joined:
    Jul 20, 2006
    Posts:
    7
    Hi,

    I run NOD32 and Outpost 4 together. The other day I was surfing and came across a page which made NOD32 pop up a warning about a Trojan. It closed the connection and cleaned the file.

    I wanted to be safe so I had NOD32 do an in-depth scan, found nothing. Had Outpost do its spyware scan, nothing. TrojanHunter found nothing (using it on-demand btw, not active protection), and avg/ewido/whatever found nothing.

    However when I went to Trend Micro's housecall, it found adware-bestoffersnetwork and adware-funwebproducts (strange the others didn't find that, has to be a false positive no?). Then with about 20 minutes left in the scan, IE simply closed on its own. Didn't crash, just closed. Thought that was weird.

    Tried to run Panda's online scan, and when I tried to install their ActiveX component, it crashed Outpost and ipoint.exe (intellipoint). I then restarted Outpost and went back to Panda, got the ActiveX component installed, but then when I clicked "my computer" to have it scan, I got "error on page."

    I thought maybe it was something weird with Outpost's adblocker plugin, so I added pandasoftware.com to my trusted list, same problem.

    Also, when I went to run the f-secure online test, the "I agree" button was blank...thought that was weird, and I got a popup saying "you have insufficient access to run this activex control" or something to that affect.

    I then ran RootkitBuster, found nothing. Ran Icesword, and the only entries in SSDT were for Outpost and NOD32. I ran RootkitRevealer, and got this:

    HKLM\SECURITY\Policy\Secrets\SAC* 9/22/2006 11:04 PM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 9/22/2006 11:04 PM 0 bytes Key name contains embedded nulls (*)
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\920CNAWQ\login[1].htm 2/14/2007 3:39 PM 78 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\920CNAWQ\main[2].htm 2/14/2007 3:39 PM 56.39 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\920CNAWQ\ServiceLoginAuth[1].htm 2/14/2007 4:40 PM 3.40 KB Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\920CNAWQ\show_home_page[1].htm 2/14/2007 3:39 PM 17.24 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\920CNAWQ\stats_data[1].htm 2/14/2007 4:40 PM 24.16 KB Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\CCCADD3O\main[1].htm 2/14/2007 3:40 PM 52.77 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\O6GHIMVS\login[1].htm 2/14/2007 4:40 PM 78 bytes Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\O6GHIMVS\main[1].htm 2/14/2007 3:40 PM 62.63 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\O6GHIMVS\main[2].htm 2/14/2007 4:40 PM 62.50 KB Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\O6GHIMVS\main[3].htm 2/14/2007 4:40 PM 56.39 KB Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\O6GHIMVS\ServiceLoginAuth[2].htm 2/14/2007 3:40 PM 3.39 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\O6GHIMVS\show_home_page[1].htm 2/14/2007 4:40 PM 17.24 KB Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\WSYRC99Z\main[1].htm 2/14/2007 4:41 PM 52.70 KB Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\WSYRC99Z\news[1].htm 2/14/2007 3:40 PM 25.30 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\WSYRC99Z\news[2].htm 2/14/2007 4:41 PM 25.30 KB Hidden from Windows API.
    C:\Documents and Settings\satoshi\Local Settings\Temporary Internet Files\Content.IE5\WSYRC99Z\stats_data[1].htm 2/14/2007 3:40 PM 24.16 KB Visible in Windows API, but not in MFT or directory index.
    C:\Program Files\Trillian\users\default\cache\gango 2/14/2007 4:49 PM 3.98 KB Visible in directory index, but not Windows API or MFT.

    Anyone have any ideas at all? Any help is appreciated.


    thanks
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Clean log...Sysinternals and RR.
    Make sure everything is shut down while using RR.

    Suggest you get to the bottom of why housecall flagged those, arm yourself by googling those products, have alook to see if they appear in ie and perhaps also goto castlecops.com and submit a hijackthis log in the HJT forum. You could also download the free SuperAntiSpyware and run a scan and also have a look at using something like the Firefox browser with NoScript unless you already do.
     
    Last edited: Feb 14, 2007
  3. vault

    vault Registered Member

    Joined:
    Jul 20, 2006
    Posts:
    7
    thanks...yeah, I submitted the HJT log at castlecops and spywareinfo, it appeared completely clean to me though, although I'm certainly no expert on it.

    I do use Firefox...not quite sure why I have a content.IE5 folder..I ran CCleaner prior to all of this too.

    I googled around for bestoffersnetwork and funwebproducts, the anti-malware applications I used are all supposed to be able to detect both of them. I have no popups from them, homepage isn't hijacked, 404's aren't redirected, so I'm a little baffled by that. I am wondering if it maybe picked up on a cookie used by one of the domains they're associated with, or something like that, and it flagged it as an infection?

    As far as why I couldn't run the online scans, that's also a mystery to me...I don't know if it is some activex issue, or Outpost interfered with them? I was able to run Bitdefender's thing without a problem.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd bet all those files had been deleted in the mean time.
     
  5. vault

    vault Registered Member

    Joined:
    Jul 20, 2006
    Posts:
    7
    What do you mean? In the meantime between what?

    Also, I still can't get Trend Micro's housecall to work whether I use IE or FF, whether I use the browser plugin or the Java-based thing. It doesn't crash, simply exits....?
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Not an uncommon problem, sometime ago I think I worked out what was my problem with HC, athough simply exits is a new one to me.

    Try this HouseCall page.
    Use ie, put *.trendsecure.com in your trusted sites and goto TrendSecure | HouseCall. Select Launch Housecall free scan remembering there is a check box for applying recommended action on infection. Myself I always just get these online scans to report infection.
     
  7. nippauls

    nippauls Registered Member

    Joined:
    Jan 13, 2005
    Posts:
    15
    The detected rootkit is OUTPOST.

    Do a search of wilders for "outpost rootkit" and you will get all the info you need. Outpost now uses rootkit technology like Sony did....

    BAD NEWS!
     
  8. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    Hello vault,
    Yes do use the search function. Only Outpost Security suite used hidden index files for the SmartScan. Agnitum made this optional for the released version of the suite. None of the results are those index files.
     
  9. simonguoxm

    simonguoxm Registered Member

    Joined:
    May 2, 2007
    Posts:
    2
    Too hard to find all rootkits
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    hahahaha

    All Temp Files are fp´s.
     
Loading...
Thread Status:
Not open for further replies.