Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal information stolen, possible rootkit or keylogger


  • Please log in to reply
3 replies to this topic

#1 somenoob

somenoob

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 27 January 2011 - 11:50 AM

Hi,
I discovered today that my debit card information was somehow stolen and used to pay for services on an online gambling site. I've already taken steps to make sure it can't happen again with my card information but I'm worried I may have a rootkit or keylogger in my system that allowed access to it in the first place. I'm running Windows 7 (32bit) on my computer. I have run Antivir Antivirus and Malwarebytes Anti-Malware and neither of them picked anything up, however it has occurred to me that if there is a rootkit it may not be detectable by these means. I haven't run anything else as I am unsure what is safe to run and what kind of damage I could do. If at all possible would someone be able to help me find out if I do have any on my system?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 27 January 2011 - 02:11 PM

Malwarebytes Anti-Malware uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well.

There are many free anti-rootkit tools but some of them require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:
You can also get a second opinion by performing an Online Virus Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 somenoob

somenoob
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 27 January 2011 - 06:07 PM

Hi,

I ran Avira AntiRootKit and it came up with this:
Avira AntiRootkit Tool (1.3.0.1)

========================================================================================================
- Scan started Friday, 28 January 2011 - 6:26:05 AM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 360.94 GB
- Working disk free size : 133.47 GB (36 %)
--------------------------------------------------------------------------------------------------------

Results:
Embedded nulls : HKEY_USERS\S-1-5-21-3790442823-3457983353-521132982-1004\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY
Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update -> offlinedetectionpending
Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97456AD6-EE23-42CC-AD0A-834BF5CEF111} -> path
Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97456AD6-EE23-42CC-AD0A-834BF5CEF111} -> hash
Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97456AD6-EE23-42CC-AD0A-834BF5CEF111} -> triggers
Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97456AD6-EE23-42CC-AD0A-834BF5CEF111} -> dynamicinfo
Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Search\Tracing\EventThrottleState -> 000003f5
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#*ISATAP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{D48C616A-4EF6-448A-A459-2C8815C25BEA} -> symboliclink
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D48C616A-4EF6-448A-A459-2C8815C25BEA}\Connection -> defaultnameresourceid
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D48C616A-4EF6-448A-A459-2C8815C25BEA}\Connection -> defaultnameindex
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D48C616A-4EF6-448A-A459-2C8815C25BEA}\Connection -> name
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\services\iphlpsvc\Parameters\Isatap\{D48C616A-4EF6-448A-A459-2C8815C25BEA} -> interfacename
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\services\iphlpsvc\Parameters\Isatap\{D48C616A-4EF6-448A-A459-2C8815C25BEA} -> reusabletype
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\services\TCPIP6\Parameters\Interfaces\{d48c616a-4ef6-448a-a459-2c8815c25bea} -> dhcpv6iaid
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\services\TCPIP6\Parameters\Interfaces\{d48c616a-4ef6-448a-a459-2c8815c25bea} -> dhcpv6state

--------------------------------------------------------------------------------------------------------
Files: 0/63664
Registry items: 15/478780
Processes: 0/84
Scan time: 00:04:15
--------------------------------------------------------------------------------------------------------
Active processes:
- System (PID 4)
- avguard.exe (PID 1768)
- audiodg.exe (PID 1088)
- svchost.exe (PID 1304)
- smss.exe (PID 268)
- svchost.exe (PID 1788)
- svchost.exe (PID 4636)
- TosCoSrv.exe (PID 1968)
- AppleMobileDev (PID 392)
- csrss.exe (PID 384)
- wininit.exe (PID 456)
- mDNSResponder. (PID 376)
- csrss.exe (PID 468)
- lsm.exe (PID 540)
- winlogon.exe (PID 568)
- lsass.exe (PID 532)
- services.exe (PID 516)
- svchost.exe (PID 1020)
- chrome.exe (PID 4900)
- DTShellHlp.exe (PID 3892)
- svchost.exe (PID 688)
- sqlservr.exe (PID 632)
- iPodService.ex (PID 3404)
- svchost.exe (PID 788)
- atiesrxx.exe (PID 836)
- TosSENotify.ex (PID 6120)
- TPCHSrv.exe (PID 6104)
- svchost.exe (PID 912)
- VSSVC.exe (PID 4496)
- explorer.exe (PID 2780)
- TosSmartSrv.ex (PID 6040)
- svchost.exe (PID 976)
- iTunesHelper.e (PID 3828)
- dllhost.exe (PID 5320)
- vsmon.exe (PID 1440)
- wmpnetwk.exe (PID 3956)
- svchost.exe (PID 1136)
- svchost.exe (PID 1540)
- atieclxx.exe (PID 1240)
- PnkBstrA.exe (PID 1164)
- TrustedInstall (PID 1192)
- svchost.exe (PID 1396)
- sqlwriter.exe (PID 1324)
- SearchFilterHo (PID 2624)
- TODDSrv.exe (PID 1408)
- spoolsv.exe (PID 1688)
- sched.exe (PID 1732)
- svchost.exe (PID 4512)
- SearchProtocol (PID 5096)
- avshadow.exe (PID 1916)
- conhost.exe (PID 1924)
- TecoService.ex (PID 2108)
- zirnbtwv.exe (PID 1384) (Avira AntiRootkit Tool)
- WLIDSVC.EXE (PID 2188)
- avirarkd.exe (PID 4868)
- WLIDSVCM.EXE (PID 2308)
- taskeng.exe (PID 2836)
- taskhost.exe (PID 2612)
- dwm.exe (PID 2764)
- GameBox.exe (PID 2956)
- zlclient.exe (PID 3752)
- DTAgent.exe (PID 3904)
- TPCHWMsg.exe (PID 4128)
- SearchIndexer. (PID 3656)
- alg.exe (PID 3152)
- svchost.exe (PID 3212)
- TPwrMain.exe (PID 3480)
- SmoothView.exe (PID 3516)
- SynTPEnh.exe (PID 3540)
- SynTPHelper.ex (PID 3620)
- svchost.exe (PID 1112)
- TEco.exe (PID 3680)
- avgnt.exe (PID 3732)
- jusched.exe (PID 3768)
- GoogleCrashHan (PID 3976)
- WmiPrvSE.exe (PID 4220)
- chrome.exe (PID 4660)
- NDSTray.exe (PID 4752)
- CFSwMgr.exe (PID 4848)
- chrome.exe (PID 5580)
- agrsmsvc.exe (PID 5848)
- CFIWmxSvcs.exe (PID 5872)
- CFSvcs.exe (PID 5924)
- RSelSvc.exe (PID 5952)
========================================================================================================
- Scan finished Friday, 28 January 2011 - 6:30:21 AM

Do I actually have something bad on here then?...

Edited by Orange Blossom, 27 January 2011 - 06:11 PM.
Merged topics and deleted no longer relevant line. ~ OB


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 27 January 2011 - 07:03 PM

Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Your scan results show various hidden registry keys belonging to Microsoft (i.e.Task Scheduler, Windows Update, Windows Search, etc) and embedded nulls by SecuRom, a CD/DVD copy protection and digital rights management system by Sony. The presence of some keys with nulls may be pertinent to the correct operation of related applications. The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users