Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTDLL code modification detected... some help please.


  • Please log in to reply
26 replies to this topic

#1 Punch007

Punch007

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 27 June 2011 - 05:26 PM

Hi, this is my first post here, i think my computer is finally infected after 2.5 yrs of malware free usage.

My lil brother was busy installing a pirated version of dirt 3 (he's yet to know of its ill effects and its illegality), i hurriedly interrupted the installation, by first suspending the setup via process explorer to see what all processes was it running, then when i clicked resume, it couldn't detect the running installation and threw an error in i dunno what language, and started the finishing installation stage, where it opened some website "---ggamez.org" and some site waresbb.org. i quickly ended its process tree.

Noticed two exe files, ggamez.exe and wbb.exe in the dirt 3 folder it had created, i had seen at least one of these 2 launch in process explorer before i ended the tree.

Though the system is behaving normally, i scanned with gmer's mbr checker, it found nothing, then checked with catchme and it throws up this message in the command prompt:

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 5
0, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179,
ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization e
rror


Having searched around the forum i've come to know this is a definite sign of some rootkit. :(

I'm running Windows 7 SP1 x86.

Some advice needed what to do next, which logs to post, i just dont wanna lost my 2.5 yrs worth of customization with a reinstall.

I've run scans with hitmanpro with no detections.

Scanning with gmer now, previously had suffered a BSOD during the scan so posting this thread before i begin scanning again. will post the results soon.

Please help.
Thanks.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:52 PM

Posted 27 June 2011 - 07:13 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

==============================================================

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 28 June 2011 - 12:52 AM

Thanks for the quick response Broni.

Securitycheck log:

Results of screen317's Security Check version 0.99.7
Windows 7 Service Pack 1 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Driver Cleaner.NET
Duplicate Cleaner 1.4.7
Java DB 10.5.3.0
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````

---------------------------------------
MBAM log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6963

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

28/06/2011 11:09:20
mbam-log-2011-06-28 (11-09-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 295087
Time elapsed: 28 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------


Rootkit Unhooker log


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7601 (Service Pack 1)
Number of processors #2
==============================================
>Drivers
==============================================
0x91A03000 C:\Windows\system32\DRIVERS\atikmdag.sys 8093696 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x83005000 C:\Windows\system32\ntkrnlpa.exe 4268032 bytes (Microsoft Corporation, NT Kernel & System)
0x83005000 PnpManager 4268032 bytes
0x83005000 RAW 4268032 bytes
0x83005000 WMIxWDM 4268032 bytes
0x9A601000 C:\Windows\system32\drivers\RTKVHDA.sys 3481600 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x9AFA0000 Win32k 2416640 bytes
0x9AFA0000 C:\Windows\System32\win32k.sys 2416640 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8B81C000 C:\Windows\System32\drivers\tcpip.sys 1351680 bytes (Microsoft Corporation, TCP/IP Driver)
0x8B466000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x9223A000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8B674000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x836F9000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0x9EA3D000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x92536000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x83619000 C:\Windows\system32\mcupdate_GenuineIntel.dll 544768 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x8B22D000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x92433000 C:\Windows\System32\Drivers\bthport.sys 409600 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0x8B600000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x910DA000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x92349000 C:\Windows\system32\DRIVERS\Rt86win7.sys 368640 bytes (Realtek , Realtek 8101E/8168/8169 NDIS 6.20 32-bit Driver )
0x9EB5C000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0x99103000 C:\Windows\system32\drivers\HdAudio.sys 327680 bytes (Microsoft Corporation, High Definition Audio Function Driver)
0x9EB0C000 C:\Windows\System32\DRIVERS\srv2.sys 327680 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x923AE000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8B36E000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8B2AC000 C:\Windows\system32\drivers\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x990AE000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x836B7000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x91279000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x91333000 C:\Windows\system32\DRIVERS\atikmpag.sys 262144 bytes (Advanced Micro Devices, Inc., AMD multi-vendor Miniport Driver)
0x8B9A0000 C:\Windows\system32\drivers\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8B72B000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x991AD000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x9121F000 C:\Windows\system32\Drivers\vmm.sys 241664 bytes (Microsoft Corporation, Virtual Machine Monitor)
0x922F1000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x83417000 ACPI_HAL 225280 bytes
0x83417000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8B417000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x99059000 C:\Windows\system32\drivers\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8B7BB000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x91134000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8B966000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x99153000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8B78E000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x8B595000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8B305000 C:\Windows\system32\drivers\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8B200000 C:\Windows\system32\drivers\vmbus.sys 172032 bytes (Microsoft Corporation, Virtual Machine Bus)
0x91017000 C:\Windows\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0x99031000 C:\Windows\system32\DRIVERS\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x8B5D3000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8B769000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x92497000 C:\Windows\system32\DRIVERS\rfcomm.sys 147456 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0x837A4000 C:\Windows\system32\drivers\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x92400000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x913B5000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9EADE000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x91300000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x91058000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x837E1000 C:\Windows\system32\drivers\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9232A000 C:\Windows\system32\drivers\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x9116D000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x9AE30000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x911DE000 C:\Windows\system32\DRIVERS\mcdbus.sys 118784 bytes (MagicISO, Inc., MagicISO SCSI Host Controller)
0x924C8000 C:\Windows\system32\DRIVERS\bthpan.sys 110592 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0x9A9C1000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x99000000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x9119A000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Brother Industries Ltd., Brotehr Serial I/F Driver (WDM))
0x9A9DC000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x925BB000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x99182000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x912DA000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x921BB000 C:\Windows\system32\drivers\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x92219000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x91392000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x913D7000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x91200000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x911C7000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x910B7000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x8B3CE000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x9A99A000 C:\Windows\system32\drivers\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8B5C0000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x92523000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x911B4000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8B3E4000 00000102 73728 bytes
0x91380000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x924E3000 C:\Windows\system32\DRIVERS\bthmodem.sys 73728 bytes (Microsoft Corporation, Bluetooth Communications Driver)
0x9919B000 C:\Windows\System32\Drivers\BTHUSB.sys 73728 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0x91321000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x925D4000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8B3E4000 C:\Windows\system32\drivers\winhv.sys 73728 bytes (Microsoft Corporation, Windows Hypervisor Interface Driver)
0x92502000 C:\Windows\system32\drivers\appid.sys 69632 bytes (Microsoft Corporation, AppID Driver)
0x8B800000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x9A97E000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x8B44B000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x990F2000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8B33A000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x8369E000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x9125A000 C:\Windows\system32\drivers\termdd.sys 69632 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x921ED000 C:\Windows\system32\DRIVERS\VMNetSrv.sys 69632 bytes (Microsoft Corporation, Virtual Machine Network Services Driver)
0x92513000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8B9E7000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x8B35E000 C:\Windows\system32\drivers\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x92200000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x99091000 C:\Windows\system32\drivers\WmXlCore.sys 61440 bytes (Logitech Inc., Logitech WingMan Translation Driver)
0x912F2000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x9118C000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x910A9000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x8B3C0000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8B65D000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x9126B000 C:\Windows\System32\Drivers\SCDEmu.SYS 57344 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0x990A0000 C:\Windows\system32\drivers\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8B29E000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x924BB000 C:\Windows\system32\drivers\BthEnum.sys 53248 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0x91373000 C:\Windows\system32\drivers\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x9A95D000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x921D3000 C:\Windows\system32\drivers\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x924F5000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x921E0000 C:\Windows\system32\drivers\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x9EAFF000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x91079000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x912CE000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x9EBB4000 C:\Windows\system32\DRIVERS\NisDrvWFP.sys 49152 bytes (Microsoft Corporation, Microsoft Network Inspection System Driver)
0x910CE000 C:\Windows\system32\DRIVERS\TDI.SYS 49152 bytes (Microsoft Corporation, TDI Wrapper)
0x9104C000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8B353000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
0x9A96A000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x9A98F000 C:\Windows\system32\drivers\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x9A9B6000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x9109E000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x913AA000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x923A3000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x8B32F000 C:\Windows\system32\drivers\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x9A953000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x9A9F6000 C:\Windows\system32\DRIVERS\HidBatt.sys 40960 bytes (Microsoft Corporation, Hid Battery Driver)
0x912C4000 C:\Windows\system32\drivers\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x912BA000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x8B45C000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x913EF000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0x9EAD4000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x9220F000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x837C7000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x8B3F6000 C:\Windows\system32\drivers\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x9EBC3000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x9242A000 C:\Windows\system32\drivers\cpuz135_x32.sys 36864 bytes (CPUID, CPUID Driver)
0x9A975000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
0x8B66B000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x9AE00000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8B997000 C:\Windows\system32\drivers\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x8B2F4000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x836AF000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8B34B000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
0x8B9F7000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BC7000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x8B2FD000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x91086000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x9108E000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x91096000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8B9DF000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x91045000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x9A9AD000 C:\Windows\system32\drivers\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8B3B9000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x9103E000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x92423000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x91166000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x9EBAE000 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{92E124BF-2561-484B-9E15-F153F18F9EC1}\MpKsl4eec821d.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0x92231000 C:\Windows\system32\DRIVERS\PS2.sys 16384 bytes (Hewlett-Packard Company, PS2 SYS)
0x9908D000 C:\Windows\system32\drivers\WmBEnum.sys 16384 bytes (Logitech Inc., Logitech WingMan Virtual Bus Enumerator Driver)
0x9EBC0000 C:\Windows\system32\DRIVERS\psi_mf.sys 12288 bytes (Secunia, Secunia PSI Driver)
0x99057000 C:\Windows\system32\drivers\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x9A9B4000 C:\Windows\system32\drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================


Nothing detected :(

-------------------------

Had also run GMER, here is its results page:


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-28 09:34:57
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD3200AAJS-00L7A0 rev.01.03E01
Running: r5zgf1qe.exe; Driver: C:\Users\DASPOI~1\AppData\Local\Temp\axtdapod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 8304C339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83085D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91A24000, 0x38CD55, 0xE8000020]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 ADA42000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 ADA42123 486 Bytes [D5, A3, AD, FE, 05, 34, D5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 529A ADA4230A 142 Bytes [A3, AD, 3B, 08, 77, 04, 3B, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 ADA42399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F ADA423FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@5063138cc14b 0x55 0xED 0x22 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@6c9b022e456b 0x6B 0x45 0x8B 0x45 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@0026699079d2 0x7D 0x37 0x01 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@00266866b1d5 0x53 0x06 0xC5 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@20d6078cb21a 0xE1 0xFB 0xF5 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000250
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000250@00266866b1d5 0x51 0x22 0xC4 0xC4 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000250@0026699079d2 0x54 0x89 0xA7 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000250@6c9b022e456b 0x53 0xF0 0xAA 0x25 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000250@20d6078cb21a 0xC1 0xD6 0xED 0xB0 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@5063138cc14b 0x55 0xED 0x22 0xA8 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@6c9b022e456b 0x6B 0x45 0x8B 0x45 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@0026699079d2 0x7D 0x37 0x01 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@00266866b1d5 0x53 0x06 0xC5 0xAC ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@20d6078cb21a 0xE1 0xFB 0xF5 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000250 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000250@00266866b1d5 0x51 0x22 0xC4 0xC4 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000250@0026699079d2 0x54 0x89 0xA7 0x62 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000250@6c9b022e456b 0x53 0xF0 0xAA 0x25 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000250@20d6078cb21a 0xC1 0xD6 0xED 0xB0 ...

---- EOF - GMER 1.0.15 ----

EDIT:
I also ran a full scan with eset's online scanner, it found nothing on c drive.. detected some very old flash files on another drive though.

Edited by Punch007, 28 June 2011 - 08:41 AM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:52 PM

Posted 28 June 2011 - 04:31 PM

All logs, including GMER look good :)

If you're not Java developer, uninstall Java DB 10.5.3.0

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 28 June 2011 - 05:19 PM

All logs, including GMER look good :)

If you're not Java developer, uninstall Java DB 10.5.3.0


Thats a relief :)

Actually i had uninstalled oracle and jdk as well and shifted all those dev tools to a virtual machine, dunno why its still showing up.

I just found something rather strange, i tested catchme on one of my friend's machines, who has just bought his laptop and never connected to the internet or installed anything part from the usual useless appz factory installed, and it still throws up that error.. could it just be some compatibility issue?

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:52 PM

Posted 28 June 2011 - 05:42 PM

Well, not every message means, something malicious is going on.
That's why we run some other scans to double check.

Good luck!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 28 June 2011 - 05:52 PM

Yeah thats true...:) Thanks a lot for your help. This does mean i'm not infected by the looks of it?

Also, i had submitted those files to Avira and Microsoft, and both have come out clean after analysis from both of them. :)

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:52 PM

Posted 28 June 2011 - 05:58 PM

You're very welcome Posted Image and you should be good to go.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 29 June 2011 - 07:17 AM

Broni, One of the files, wbb.exe was identified by Avira as being TR/Drop.Startpage.N, the other ggamez.exe was marked clean. Microsoft had identified both as clean.
Is that something to worry about?

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:52 PM

Posted 29 June 2011 - 06:31 PM

One of the files, wbb.exe was identified by Avira as being TR/Drop.Startpage.N, the other ggamez.exe was marked clean

Where exactly do you those two files?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 29 June 2011 - 10:07 PM

They were created by the installer in the dirt 3 installation folder which i had subsequently deleted after stopping installation but kept these 2 files for analysis.

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:52 PM

Posted 29 June 2011 - 10:21 PM

If that's a legit program, I'd consider Avira result as false positive.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload both files to http://www.virustotal.com/ for security check.

IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 29 June 2011 - 10:37 PM

A false positive even after being analyzed on being submitted via their website?

Its detection has not been added to their database yet.

That whole installer was not the official installer so i dont think that these two files are legit files :(.

Here's the results for wbb.exe



File name:
WBB.exe

Submission date:
2011-06-30 03:30:07 (UTC)

Current status:
finished




Result:
5/ 42 (11.9%)


VT Community

not reviewed
Safety score: -



Compact

Print results




Antivirus

Version

Last Update

Result



AhnLab-V3

2011.06.30.00

2011.06.29

-



AntiVir

7.11.10.167

2011.06.30

-



Antiy-AVL

2.0.3.7

2011.06.29

-



Avast

4.8.1351.0

2011.06.29

-



Avast5

5.0.677.0

2011.06.29

-



AVG

10.0.0.1190

2011.06.30

-



BitDefender

7.2

2011.06.30

-



CAT-QuickHeal

11.00

2011.06.29

-



ClamAV

0.97.0.0

2011.06.30

-



Commtouch

5.3.2.6

2011.06.30

-



Comodo

9225

2011.06.30

-



DrWeb

5.0.2.03300

2011.06.30

-



eSafe

7.0.17.0

2011.06.29

-



eTrust-Vet

36.1.8416

2011.06.29

-



F-Prot

4.6.2.117

2011.06.30

-



F-Secure

9.0.16440.0

2011.06.30

-



Fortinet

4.2.257.0

2011.06.30

-



GData

22

2011.06.30

-



Ikarus

T3.1.1.104.0

2011.06.30

-



Jiangmin

13.0.900

2011.06.29

-



K7AntiVirus

9.106.4856

2011.06.29

-



Kaspersky

9.0.0.837

2011.06.30

-



McAfee

5.400.0.1158

2011.06.30

-



McAfee-GW-Edition

2010.1D

2011.06.30

Heuristic.BehavesLike.Win32.ModifiedUPX.J!87



Microsoft

1.7000

2011.06.29

-



NOD32

6251

2011.06.30

-



Norman

6.07.10

2011.06.29

-



nProtect

2011-06-29.01

2011.06.29

-



Panda

10.0.3.5

2011.06.29

Suspicious file



PCTools

8.0.0.5

2011.06.30

-



Prevx

3.0

2011.06.30

-



Rising

23.64.02.03

2011.06.29

Suspicious



Sophos

4.66.0

2011.06.30

-



SUPERAntiSpyware

4.40.0.1006

2011.06.30

-



Symantec

20111.1.0.186

2011.06.30

-



TheHacker

6.7.0.1.245

2011.06.29

-



TrendMicro

9.200.0.1012

2011.06.30

PAK_Generic.001



TrendMicro-HouseCall

9.200.0.1012

2011.06.30

PAK_Generic.001



VBA32

3.12.16.3

2011.06.29

-



VIPRE

9728

2011.06.30

-



ViRobot

2011.6.30.4541

2011.06.30

-



VirusBuster

14.0.102.0

2011.06.29

-





Additional information

Show all



MD5 : 0c29091b72c4b00dec8fd38a783eab99



SHA1 : c9483a591745e52ca7d2019c7ce2daa059232a1a



SHA256: 872b4d49fe156f0aa90bb1fee87b48055c96dcce3e0ad0e01ed92337da3c5794



ssdeep: 1536:GPcVo6r7S/rab5nouy8+nr5NZNoIxTjtS8Z9T0TYHvB5dHJq9ixOimEzwy4O:J7cWbpout
s5v3xlZoTW5d+KMEzw



File size : 129536 bytes



First seen: 2011-05-18 15:36:41



Last seen : 2011-06-30 03:30:07



TrID:
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)



sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned




PEiD: UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser



packers (F-Prot): UPX_LZMA



PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x28070
timedatestamp....: 0x498D2B24 (Sat Feb 07 06:33:08 2009)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x23000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x24000, 0x5000, 0x4E00, 7.84, ff3dd99de0c8595ba4f15f3e9e13ef46
.rsrc, 0x29000, 0x1B000, 0x1AA00, 4.97, f9cc8634ff0e8f83a1a75c7cd44a4810

[[ 7 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
COMCTL32.dll: InitCommonControls
GDI32.dll: SetBkColor
MSVCRT.dll: memset
OLE32.dll: CoInitialize
SHELL32.dll: ShellExecuteExA
USER32.dll: IsChild




ExifTool:
file metadata
CodeSize: 20480
EntryPoint: 0x28070
FileSize: 126 kB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 110592
LinkerVersion: 2.5
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2009:02:07 07:33:08+01:00
UninitializedDataSize: 143360

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:52 PM

Posted 29 June 2011 - 10:45 PM

Well, it does look suspicious.
5/42 score and this:
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

I suggest, you delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#15 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 29 June 2011 - 10:45 PM

ggamez.exe was detected only by rising as suspicious so removed other av results.

Rising

23.64.02.03

2011.06.29

Suspicious



Additional information

Show all



MD5 : a19ac68766bce8d0c6159f7dab7c5a72



SHA1 : 972afcdf81c6702dba19924d51988f445083eef6



SHA256: 4c06fdf905451f3302e4f60be12883ba877208a6aa18ac39f0fd02faed43a590



ssdeep: 1536:PPcVo6r7S/rabxnouy8/LRV9bSicJoUqxM0XNf2GqnnmMzUFjKkO0o:g7cWbxoutz9WpLq
xRNinmMeGN



File size : 85504 bytes



First seen: 2010-10-20 19:46:07



Last seen : 2011-06-30 03:33:11



TrID:
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)



sigcheck:
publisher....: gGamez.Org
copyright....: www.ggamez.org
product......: launcher
description..: n/a
original name: n/a
internal name: n/a
file version.: 1,0,0,0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned




PEiD: UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser



packers (F-Prot): UPX_LZMA



PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1D050
timedatestamp....: 0x498D2B24 (Sat Feb 07 06:33:08 2009)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x18000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x19000, 0x5000, 0x4C00, 7.91, 69d82210feee60546c8e6b7cbb50d7eb
.rsrc, 0x1E000, 0x10000, 0x10000, 5.01, db3969215be093275410bcf4bd0a6044

[[ 7 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
COMCTL32.dll: InitCommonControls
GDI32.dll: SetBkColor
MSVCRT.dll: memset
OLE32.dll: CoInitialize
SHELL32.dll: ShellExecuteExA
USER32.dll: IsChild




ExifTool:
file metadata
CharacterSet: Windows, Latin1
CodeSize: 20480
CompanyName: gGamez.Org
EntryPoint: 0x1d050
FileFlagsMask: 0x003f
FileOS: Windows 16-bit
FileSize: 84 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 1,0,0,0
FileVersionNumber: 1.0.0.0
ImageVersion: 0.0
InitializedDataSize: 65536
LanguageCode: English (U.S.)
LegalCopyright: www.ggamez.org
LinkerVersion: 2.5
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
PEType: PE32
ProductName: launcher
ProductVersion: 1,0,0,0
ProductVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2009:02:07 07:33:08+01:00
UninitializedDataSize: 98304




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users