Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Anonymous rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 gezolad

gezolad

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 24 February 2009 - 11:03 AM

Hi,

I suspect I have malware, possibly in the form a of a rootkit, and would like to know if anyone else has similar experience, or suggestions other than wipe the boot record and re-install windows!

I am running windows XP SP3, on a Sony Vaio VGN-BX195VP laptop with Symantec endpoint protection, have a router with a firewall, and generally practice "safe computing", but I recently let my guard down (turned off symantec as it was interfering with another app), and switched to admin to install. I noticed a potential problem when Symantec mentioned some changes to some of it's files, after being re-enabled (they may have been antitamper files - can't remember exactly). This air-raid siron got me running the True Image rescue CD and reaching for my backups. TI reported the backups as corrupted, which was another cause for concern because they were different images, and I had restored from both of them within the last month, however I had stupidly left the USB drive with the images attahed to the PC (didn't make any hard copies).

Anyway when I rebooted, the problem seemd to resolve itself (Symantec reported no problems with its files). But when I tried to update the signatures (after a fairly long time since the last update) it seemd to complete in seconds (normally takes minutes). So, with all these suspicious goings on I decided to run some Rootkit exposure tools. First I ran Rootkit revealer, which gave the folowing:

-----------------------------------------------------------------------
HKU\.DEFAULT 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-19 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-19_Classes 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-20 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-20_Classes 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-21-1217539496-63439485-1688634744-1006 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-21-1217539496-63439485-1688634744-1006_Classes 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-18 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\HARDWARE 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SAM 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SECURITY 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SOFTWARE 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SYSTEM 01/01/1601 00:00 0 bytes Error dumping hive: The system cannot find the file specified.
C: 01/01/1601 00:00 0 bytes Error mounting volume
Z: 01/01/1601 00:00 0 bytes Error mounting volume
-----------------------------------------------------------------------------------

Next I ran F-Secure Blacklight, and PrevX which found nothing, and then ran SanityCheck which found the following hooking processes:

----------------------------------------------------------------------
System routines are being intercepted

One or more system services are being intercepted on your system. This could be initiated by a rootkit or malware but there is also the possibility a security product is responsible for this. With the indications given you should find out if this is the work of a product that you have installed deliberately or not. Note that these SSDT hooks are very notorious because they rely on undocumented techniques and are incredibly difficult to implement right for a programmer. Even if they are installed by a legitimate product, these hooks very often are the cause of sudden unexpected reboots, blue screens, hangups and other misery. If you have more than one product installed which makes use of these techniques then your system is almost sure to be messed up.

The module is hooking the kernel to intercept base system services.

The responsbile kernel module could not be found. This likely means the module has allocated some kernel memory in which it can excecute. For certain well-known antivirus software this is a normal course but unfortunately this does not allow us to find the responsbile module at this point. For further analysis we suggest disabling any antivirus, anyspyware, firewall and other security software to see if this changes.

:

The module SysPlant.sys is hooking the kernel to intercept base system services.

Information about the responsible module SysPlant.sys:

file path: sysplant.sys
This file is no longer available. We suggest you try to find this file in another location on your hard disk.
Click here to do a Google search on SysPlant.sys

The module wpsdrvnt.sys is hooking the kernel to intercept base system services.

Information about the responsible module wpsdrvnt.sys:

file path: c:\windows\system32\drivers\wpsdrvnt.sys
product: Symantec CMC Firewall
description: Symantec CMC Firewall WPS
company: Symantec Corporation
Click here to do a Google search on wpsdrvnt.sys
-------------------------------------------------------------

You'll notice the first module is not named. The other 2 seem to used by Symantec.

Before running SanityCheck it warns that it has to turn on some registry settings and reboot and that you can restore the settings after running the scan. However, I read on another post that someone else had tried this and found one or two problems, so I did a system backup before running the tool. However, when I tried to do a system restore after running it the restoration tool would not complete.

Any comments?

Gez

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:03 AM

Posted 24 February 2009 - 11:50 AM

I suggest that you post at BleepingComputer.com - Am I infected What do I do - http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

Louis

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 24 February 2009 - 03:02 PM

I have already responded in your other thread here. Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues. Thanks for your cooperation.

This thread is closed. If you have any questions. Please PM me or another Moderator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users