Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sandbox Driveby - Rootkit?


  • Please log in to reply
2 replies to this topic

#1 VaDAR_

VaDAR_

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 October 2012 - 07:02 PM

One day that i was using Sandbox a driveby got me which ran windows media player and some cmd + there .exe files through cmd prompts, i managed to close the Sandbox thus ending the scrap, i've ran most malware tools that you could think of exactly from these sort of forums and the only tools that found anything worthwhile was:

RemoveIT Pro v7 Enterprise
USEC Radix V1

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.
Generated at: 08/10/2012 on 00:49:30
Microsoft Windows Vista (SP2)

00:49:30: Scanning, please wait...
00:49:37: Infected file (Sys32._iu14d2n) C:\Users\Administrator\local settings\temp\_iu14d2n.tmp -> No action taken.
00:49:49: Infected file (Sys32.au_) C:\Users\Administrator\AppData\Local\Temp\~nsu.tmp\au_.exe -> No action
taken.
00:49:55: Infected file (Sys32.dds) C:\Users\Administrator\desktop\dds.scr -> No action taken.
00:50:21: Infected file (Sys32.otl) C:\Users\Administrator\desktop\otl.exe -> No action taken.
00:50:53: Infected file (Sys32.dtsbassenhancementdll) C:\Windows\system32\dtsbassenhancementdll.dll -> No
action taken.
00:50:53: Infected file (Sys32.dtsboostdll) C:\Windows\system32\dtsboostdll.dll -> No action taken.
00:50:53: Infected file (Sys32.dtsgaincompensatordll) C:\Windows\system32\dtsgaincompensatordll.dll -> No action
taken.
00:50:53: Infected file (Sys32.dtsgfxapo) C:\Windows\system32\dtsgfxapo.dll -> No action taken.
00:50:53: Infected file (Sys32.dtsgfxapons) C:\Windows\system32\dtsgfxapons.dll -> No action taken.
00:50:53: Infected file (Sys32.dtslfxapo) C:\Windows\system32\dtslfxapo.dll -> No action taken.
00:50:53: Infected file (Sys32.dtslimiterdll) C:\Windows\system32\dtslimiterdll.dll -> No action taken.
00:50:53: Infected file (Sys32.dtsneopcdll) C:\Windows\system32\dtsneopcdll.dll -> No action taken.
00:50:53: Infected file (Sys32.dtss2headphonedll) C:\Windows\system32\dtss2headphonedll.dll -> No action taken.
00:50:53: Infected file (Sys32.dtss2speakerdll) C:\Windows\system32\dtss2speakerdll.dll -> No action taken.
00:50:53: Infected file (Sys32.dtssymmetrydll) C:\Windows\system32\dtssymmetrydll.dll -> No action taken.
00:50:53: Infected file (Sys32.dtsvoiceclaritydll) C:\Windows\system32\dtsvoiceclaritydll.dll -> No action taken.
00:51:02: Infected file (Sys32.lnkprotect) C:\Windows\system32\lnkprotect.dll -> No action taken.
00:51:03: Infected file (Sys32.maxxaudiorealtek) C:\Windows\system32\maxxaudiorealtek.dll -> No action taken.
00:51:07: Infected file (Sys32.nvdispco32) C:\Windows\system32\nvdispco32.dll -> No action taken.
00:51:07: Infected file (Sys32.nvgenco32) C:\Windows\system32\nvgenco32.dll -> No action taken.
00:51:11: Infected file (Sys32.r4eea32a) C:\Windows\system32\r4eea32a.dll -> No action taken.
00:51:11: Infected file (Sys32.r4eed32a) C:\Windows\system32\r4eed32a.dll -> No action taken.
00:51:11: Infected file (Sys32.r4eeg32a) C:\Windows\system32\r4eeg32a.dll -> No action taken.
00:51:11: Infected file (Sys32.r4eel32a) C:\Windows\system32\r4eel32a.dll -> No action taken.
00:51:11: Infected file (Sys32.r4eep32a) C:\Windows\system32\r4eep32a.dll -> No action taken.
00:51:13: Infected file (Sys32.sfnhk) C:\Windows\system32\sfnhk.dll -> No action taken.
00:51:17: Infected file (Sys32.usbfilter) C:\Windows\system32\drivers\usbfilter.sys -> No action taken.
00:51:31: Infected file (Sys32.ntfs) C:\Windows\erdnt\cache\ntfs.sys -> No action taken.
00:51:39: 28 Dangerous files has been found on your computer.
Click on "Fix" button to fix selected tasks.
Finished...
From the looks of my RemoveIT Pro log, it shows that some of my sound files, one USB driver and nvidia are infected.

http://pastebin.com/ar8HbtXP - Online Log
Posted Image
http://www66.zippyshare.com/v/44096275/file.html - Offline Log
From the looks of my USEC Radix log it shows that the main nvidia 100% genuine driver and Palemoon Browser are infected.

Edited by VaDAR_, 07 October 2012 - 07:42 PM.


BC AdBot (Login to Remove)

 


#2 VaDAR_

VaDAR_
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 October 2012 - 07:47 PM

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       852
  TCP    192.168.0.2:139        0.0.0.0:0              LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       852
  UDP    192.168.0.2:137        *:*                                    4
  UDP    192.168.0.2:138        *:*                                    4

Netstat -ano results look awfully suspicious, what do you think?

Edited by VaDAR_, 07 October 2012 - 07:49 PM.


#3 VaDAR_

VaDAR_
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 09 October 2012 - 01:20 AM

Update: I'll uninstall Realtek Audio Drivers + Nvidia Graphics Driver and Palemoon then re-check again...although what happens now is when attempting to run a USEC Radix scan it'll BSOD :@

Edited by VaDAR_, 09 October 2012 - 01:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users