Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit, Daemon Tools Weirdness Or Paranoia?


  • Please log in to reply
1 reply to this topic

#1 PiriThomas

PiriThomas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 07 October 2007 - 07:34 AM

Hi everyone, I'm currently wondering if I have a rootkit on my system or if I'm seeing things in clouds. Long story made long, I came to my system earlier to notice that my firewall (Sygate) was closed. I did not remember closing it, so I restarted it - and, just in case, decided to scan the system with an online scanner (my antivirus monitor, Avira, was active all the time). I opened the browser and tried to connect to Kaspersky's online scanner... and then my network just died, instantly. Connections didn't work at all. I started suspecting the worst ("someone killed my firewall and then my net when he saw me open Kaspersky's address"), I restarted, used a snapshot created by FirstDefenseISR, booted into Windows' "last known good configuration" and started scanning system with Avira, online Bitdefender, online F-Secure, Rootkit Revealer, Sophos AntiRootkit, Panda's online Nanoscan, Prevx CSI, McAfee's Stinger, MS AntiMalware. Nothing was found. For a good measure, I booted into safe mode to try a rootkit scanner there - and found out that the ones I had (Revealer, Blacklight, Avira Rootkit Scan Beta) don't seem to work in safe mode :\ - they either won't run or cause errors. (Or they expired - that's Blacklight!) But I ran IceSword in safe mode and saw something weird. Here's the log:

Kernel Module:
\WINDOWS\system32\DRIVERS\1394BUS.SYS
ACPI.sys
\WINDOWS\system32\BOOTVID.dll
\SystemRoot\System32\Drivers\Beep.SYS
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\IsDrv122.sys
\WINDOWS\system32\KDCOM.DLL
KSecDD.sys
\SystemRoot\system32\DRIVERS\L8042mou.Sys
\SystemRoot\system32\DRIVERS\LMouKE.Sys
MountMgr.sys
\SystemRoot\System32\Drivers\Msfs.SYS
Mup.sys
NDIS.sys
\SystemRoot\System32\Drivers\Npfs.SYS
Ntfs.sys
\SystemRoot\System32\Drivers\Null.SYS
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
PartMgr.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
Teefer.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\drivers\VIDEOPRT.SYS
VolSnap.sys
\WINDOWS\System32\Drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\ajmgz8bs.SYS
atapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\Program Files\DAEMON Tools\daemon.dll
disk.sys
dmio.sys
dmload.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
fltMgr.sys
\SystemRoot\System32\framebuf.dll
ftdisk.sys
\WINDOWS\system32\hal.dll
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\imapi.sys
intelide.sys
isapnp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\WINDOWS\system32\ntdll.dll
\WINDOWS\system32\ntoskrnl.exe
ohci1394.sys
pci.sys
pciide.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\redbook.sys
sptd.sys
sr.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\win32k.sys


This puzzled me:
\SystemRoot\System32\Drivers\ajmgz8bs.SYS

The file was not there at all. But I tried creating an empty file named ajmgz8bs.SYS and copy it into windows\system32\drivers\ - and saw "Access denied". The empty file wouldn't copy into the \drivers\ dir. Well, that looked like a rootkit hiding itself to me - so after a few tries I found out that the driver's name was apparently randomly created on each bootup (every time I saw it, it began with an A) and the driver was present in both safe mode and normal mode.

But then I found out that when you skip the sptd.sys driver in safe mode or normal, the weird nonexistent "driver" will not show up in Ice Sword. Sptd.sys is a driver installed by Daemon Tools for drive emulation purposes, so it would seem that the strangely named driver is something like a virtual driver that it makes for its own use? I also found the weirdly named file on another computer where Daemons were installed.

I still am a bit concerned, though, about that shutdown of Sygate and the "death" of the network. (How would you grade Sygate, by the way? I am behind a router, so I just wanted a small basic firewall and decided to go with Sygate after reading reviews) Are there any other symptoms of potential infection that I should be looking for? I am not showing any outgoing or incoming packets (would it be possible for a rootkit to conceal them? I've been checking them with TCPview and Sygate's own monitor - is there something more powerful worth recommending?), Ice Sword is not showing anything weird other than the awkwardly named driver, there is no disk activity and Filemon shows only normal accesses to files... so am I being paranoid or should I dig further, but with other methods and tools?

TIA!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:29 PM

Posted 07 October 2007 - 08:02 AM

Most anti-rootkit scanners will not work in safe mode because they utilize a driver which is required for the scanning process and that driver will not load in safe mode. Further, there are rootkit variants (haxdoor) that run in safe mode so the usual reason for running a scan in that mode does not apply.

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Please download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
  • Accept the license and follow the prompts to install.
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with four buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, a small window will open so you can view the results.
  • Right click and select "Save Result To File".
  • By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file)
  • If anything was found, click "Remove selected items"
  • If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.
Please download rootchk.exe and save to your desktop
  • Important: Temporarily disable any real-time monitoring programs (see note below).
  • Disconnect from the Internet.
  • Double-click on rootchk.exe to run the program.
  • A command prompt window will open as the scan begins and then close.
  • When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
  • Copy and paste the contents of the log into your next reply.
  • Re-enable active protection on any program you temporarily disabled.
Note: To avoid false positives, it is important that you temporarily disable ZoneAlarm Pro firewall or any other security program that protects your registry (Teatimer, Adwatch, Prevx, etc) before running a rootchk scan. Click on this link to see a list of other programs that should be disabled.

Edited by quietman7, 07 October 2007 - 08:03 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users