Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit


  • Please log in to reply
7 replies to this topic

#1 49er

49er

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 19 October 2011 - 01:03 AM

Hello, this my first post. I'm a computer professional helping a friend with his computer, which is running Vista Basic.

I'm writing because of a message from MBAM. It removed several items, one of which it described as a Rootkit Dropper. I also ran Spybot S&D, which came back clean. I then ran Rootkit Revealer, which produced a very large log (400 MB). I didn't see anything obvious in briefly browsing through it, but I don't know what to look for.

Please suggest programs to run or what to look for in the RKR log. Thank you in advance.

- 49er

BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:08:58 AM

Posted 19 October 2011 - 09:27 AM

Is the computer showing any symptoms of infection?

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#3 49er

49er
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 21 October 2011 - 12:22 AM

No, I don't see any obvious signs. The message from the virus scan is what made me wonder.

#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:08:58 AM

Posted 21 October 2011 - 09:22 AM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#5 49er

49er
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 22 October 2011 - 10:42 AM

Thanks, I'll run that tonight.

- 49er

#6 49er

49er
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 23 October 2011 - 10:45 PM

OK, gmer ran with no warnings. Here's the log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-23 09:49:26
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FB2O
Running: og74v73e.exe; Driver: C:\Users\Scottie\AppData\Local\Temp\fgdirfoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88B57480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x88B98900, 0x3CA, 0x48000040]
? C:\Windows\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#7 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:08:58 AM

Posted 23 October 2011 - 11:35 PM

It appears the PC is clean. :thumbup2:

Just remember to continually update your antivirus software and have a firewall turned on.

If you experience any suspicious behavior, post back here or start a new thread and it will be investigated.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#8 49er

49er
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 24 October 2011 - 12:37 PM

That's good news! Thank you very much for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users