Rootkit / malware ?

gambla · Apr 3, 2010

Hi,
i need your help on this please:

I ran some ARKs (RootRepeal, Tizer Rootkit Razor free, GMER, Rootkit Unhooker LE) and all show this:

unknown NtCreateThread 0xF7A95294 0x80586C45
unknown NtLoadKey 0xF7A952B2 0x805CE7ED
unknown NtReplaceKey 0xF7A952BC 0x806564EC
unknown NtRestoreKey 0xF7A952B7 0x80656081

All other "hooks" (?) shown in the report are listed with the name of the software (ZoneAlarm, GesWall, ThreatFire), but these entries only show "unknown" ?

Antivir and several anti-malware scanners didn't find anything (OS + UBCD4win-CD).

thank you ! your help is appreciated !

stackz · Apr 3, 2010

Avira Antivir has SSDT hooks that are reported as unknown. To be certain you can either uninstall Antivir or use something like Autoruns to temporarily disable the start up of anything to do with Antivir.

If you're familiar with WinDbg, you can trace the hook redirections.

gambla · Apr 4, 2010

Thank you stackz for the hint.

Sariel Fallen · Apr 4, 2010

Hello gambla
maybe you'll find more information here :
http://www.microsoft.com/security/p...aspx?query=NtRestoreKey 0xF7A952B7 0x80656081
and here :
http://www.microsoft.com/security/p...aspx?query=NtReplaceKey 0xF7A952BC 0x806564EC

regards

Log in or Sign up

Rootkit / malware ?

gambla Registered Member

stackz Registered Member

gambla Registered Member

Sariel Fallen Registered Member

Hard Target: Fileless Malware

WannaCry and the malware hall of fame

Hard Target: Fileless Malware

Kelihos Becomes King of the Malware Mountain

Macro malware comes to MacOS

Log in or Sign up

Rootkit / malware ?

gambla Registered Member

stackz Registered Member

gambla Registered Member

Sariel Fallen Registered Member

Hard Target: Fileless Malware

WannaCry and the malware hall of fame

Hard Target: Fileless Malware

Kelihos Becomes King of the Malware Mountain

Macro malware comes to MacOS

Useful Searches