Strange rootkit totally stealth!

Discussion in 'malware problems & news' started by sir_carew, Jan 24, 2008.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    Some time ago I was performing a scan with some antirootkit utilities and all reported my PC as clean. Later I tried AVG Anti-Rootkit Free Edition and it found a sys file in my harddisk. Unfortunately I cannot search this driver using Explorer or standard utilities. So I tried to delete this with AVG Anti-Rootkit. The program successfully deleted the sys file. The problem is that upon Windows restart the driver loaded itself but with other name.
    So I'm combating a rootkit that when is deleted is created again using random names. No AV/AntiRootkit is able to delete the garbage.
    The PC behaviour is OK. I think it can be a "legal" rootkit like the Sony's one.
    I read BioShock (one of the best game I ever played) install a rootkit. Can be this the problem?
    I need to at least copy the driver to send it to my AV company but it's stealth.
    Here's a screenshot taked from AVG Anti-Rootkit.

    Thanks guys!

    Specs:
    - Windows XP SP2 with all updates.
    - ESS
    - MSI K9N4 SLI with nForce 500 SLI as chipset
    - Seagate 160 SATAII
    - ATI X1550 DDR2 512
    - 2GB RAM Kingston DDR2 667 Mhz
    - AMD Athlon 64 x2 3600+ overclooked at 4000+ (2100 Mhz)
     

    Attached Files:

    Last edited: Jan 25, 2008
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Go for the Gusto!

    USEC Radix Anti-Rootkit

    Scroll down to RADIX Anti-RootKit. I believe theres a fresh url to this In-Depth Prober!!! Should give you LOTS of useful info, some in living color too! ;) Claims to "fixes on the fly patched things...and confirms Vm presence see..."
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    And you say this is a "totally stealth" rootkit?

    What makes you think you'll be able to spot anything untoward that this driver is doing? Just because your PC seems okay means only that - your PC seems okay. It doesn't mean this driver isn't doing anything malicious behind the scenes.

    My guess is that something else is constantly re-creating this driver file whenever you delete it. Your best bet would be to obtain a HijackThis! or SREng scan log and post it at specialized malware removal forums for experts to assist you.

    Jot down the path/file name and reboot into Safe Mode. The file should then be visible. If that fails, use GMER's file copy function to obtain an isolated copy of that file.
     
  4. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    Thanks for confirming what my gut feeling told me. And some of these games want you to install the C++ Libraries - AARGH!!!

    Acronis keeps saving my Arse....
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi sir_carew! Please to copy the file, use following tools as I posted here. Or u can use a linux live CD or bartPE boot CD. Let us know about the results. I assmue u can,t see the file via explorer. Am I right?
    https://www.wilderssecurity.com/showpost.php?p=1159605&postcount=18
     
  6. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Ah the propaganda man from sysinternals has already told about and spread the news like hungry fire.

    Either confirms Subvirt or Buggy Buffer OVerflow.
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello!
    Finally I was able to take a copy of this file. Only Rootkit Unhooker was able to take a copy of the file. with Gmer nothing was found, even with the explorer option it had.
    See the screenshot.
    Thanks!!!
     

    Attached Files:

  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,752
    Location:
    Texas
    One off topic post removed.
     
  10. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
  11. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    Yes, I've Daemon Tools. I think also that DT is the suspicious here.
    So We can say DT install a rootkit? o_O
     
  12. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Well, I've read the links you gave me and now I understand all!
    Thanks to everyone who help me!
     
Loading...
Thread Status:
Not open for further replies.