Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Revealer Output With Intermittent Restarts...


  • Please log in to reply
1 reply to this topic

#1 bhsx

bhsx

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 10 December 2005 - 04:19 PM

Here's the output from Rootkit Revealer v1.6:
HKLM\SOFTWARE\CuXP3AE6Ke25 10/23/2005 10:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SENS 2/4/2004 7:59 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERRSVC 10/23/2005 10:17 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 12/9/2005 1:17 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf41 6/16/2005 8:39 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\SerRSvc 12/10/2005 10:03 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k5bcbtk.default\Cache\46787CF1d01 12/10/2005 10:21 AM 18.59 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k5bcbtk.default\Cache\4A65C164d01 12/10/2005 10:15 AM 80.95 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k5bcbtk.default\Cache\557D5814d01 12/10/2005 10:14 AM 51.45 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k5bcbtk.default\Cache\B38CCF6Dd01 12/10/2005 10:16 AM 45.10 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k5bcbtk.default\Cache\DEC1EC82d01 12/10/2005 10:19 AM 24.89 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\ndpslip.sys 10/23/2005 10:17 PM 12.00 KB Hidden from Windows API.

___________________________________
Now, google led me to the knowledge that d347prt is a part of Deamon Tools way of getting around certain DRM. So scratch that. I have no idea why FF would be hiding local settings from the API; but I seriously doubt that that is a concern. Scratch that too. ndpslip.sys gives no google hits. So that worries me, as do the other entries. Can anyone tell me what they are?

My PC has been intermittently rebooting itself on me and the family, today while my fiance's daughter was working on our wedding list, which was a bit frustrating. I tend to keep this locked-down fairly tight, so I was suprised when I found a rootkit a few weeks ago. I'm afraid these are remnants from that.

Here's a repost from slashdot of my rootkit experience:
"I got something installed on my system that slipped past the Spybot S&D, MS AntiSpyware, AVG antivirus, and ewido.
It was a total b*tch just to find. The thing would build its directory/itself on shutdown (it seemed) and load then delete any trace of itself at startup, even in Safe Mode. It hid itself from Windows Task Manager and every other scan a could run. I ran some Sysinternals [sysinternals.com] apps such as RootkitRevealer and Autoruns, and showed nothing over and above anything I could account for. Suspecting it was a rootkit anyway, I found some good apps such as Process Guard, and F-Secure's Blacklight(stand-alone executable, pretty nice), and a CLI app called RkDetector. Once I had ran PG I could see what was happenning to my poor little PC. Explorer launches a program called ddrssapi.exe from System32, then would go onto to launch mchshisn.exe every 3 seconds or so. At one point Process Guard counted mchshisn.exe loading over 350 times before grinding to a crashing halt!
Googling ddrssapi.exe or mchshisn.exe yields no hits (or at least didn't, now it'll probably link to this thread), so I renamed the former (because I knew where it was). I was hoping that was the app that created the directory at startup so I rebooted to see if things calmed down.
Process Guard makes no mention of ddrssapi, but is still continuously launching mchshisn, and I notice that it says it's launching from Program Files/Weslorer... Takes about 4 minutes to bring the box down to it's knees, but that gave me enough time to realize that I could do nothing to find this mysterious directory (Weslorer).
I boot into Knoppix 4.0 and low and behold there is PF/Weslorer. Unfortunately for me, Knoppix didn't want to play nice with NTFS, so I couldn't delete the dir. Then I remembered that I had build the Windows Ultimate Boot Disk based on BartPE a few weeks ago. Booted into it and removed the Weslorer (which also shows no google hits) directory and ran a Spybot S&D scan for good measure. I rebooted into my XP install and all was well. No more popups (which caused the autopsy in the first place), no more stray process launching hundreds of times. Just a new systray icon for Process Guard. That things going onto every removable media I have."

I hope that this is enough info for you kind folks to help me figure this out.
Thank you so much!

BC AdBot (Login to Remove)

 


#2 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:40 PM

Posted 10 December 2005 - 10:22 PM

bhsx: You could post a HiJackthis log in our HijackThis Logs and Analysis forum.
Before you do, please read and follow the instructions in the Preparation Guide for use before posting a HijackThis Log

If you do decide to post a HijackThis log, you should also post a link back to this post.

Good-luck.

:thumbsup:
JC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users