Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - GMER - Log reading


  • Please log in to reply
1 reply to this topic

#1 WebDawg

WebDawg

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 31 August 2013 - 01:14 PM

Below is a log from GMER.  I am looking for a rootkit on a users system.  One may be there, one may not.  Please help!
 
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-08-31 14:12:58
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.CXM0 238.47GB
Running: upuwyqeu.exe; Driver: C:\Users\JOEVAN~1\AppData\Local\Temp\kwpirpob.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544                                                                            fffff800031f2000 45 bytes [24, B8, 00, 00, 00, 48, 89, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 590                                                                            fffff800031f202e 17 bytes {MOV RCX, RSI; CALL 0x2f3602}

---- User code sections - GMER 2.1 ----

.text     C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2136] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter                    0000000075fa87b1 4 bytes [C2, 04, 00, 00]
.text     C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2136] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                         0000000075c51465 2 bytes [C5, 75]
.text     C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2136] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                        0000000075c514bb 2 bytes [C5, 75]
.text     ...                                                                                                                                           * 2
.text     C:\Program Files (x86)\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69   0000000075c51465 2 bytes [C5, 75]
.text     C:\Program Files (x86)\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155  0000000075c514bb 2 bytes [C5, 75]
.text     ...                                                                                                                                           * 2
.text     C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                      0000000075c51465 2 bytes [C5, 75]
.text     C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                     0000000075c514bb 2 bytes [C5, 75]
.text     ...                                                                                                                                           * 2
.text     C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2344] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69           0000000075c51465 2 bytes [C5, 75]
.text     C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2344] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155          0000000075c514bb 2 bytes [C5, 75]
.text     ...                                                                                                                                           * 2
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                         0000000073ce1a22 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                         0000000073ce1ad0 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                         0000000073ce1b08 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730                                                         0000000073ce1bba 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762                                                         0000000073ce1bda 2 bytes [CE, 73]
.text     C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                      0000000075c51465 2 bytes [C5, 75]
.text     C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                     0000000075c514bb 2 bytes [C5, 75]
.text     ...                                                                                                                                           * 2
.text     C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69               0000000075c51465 2 bytes [C5, 75]
.text     C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155              0000000075c514bb 2 bytes [C5, 75]
.text     ...                                                                                                                                           * 2
.text     C:\Windows\SysWOW64\RunDll32.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                0000000075c51465 2 bytes [C5, 75]
.text     C:\Windows\SysWOW64\RunDll32.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                               0000000075c514bb 2 bytes [C5, 75]
.text     ...                                                                                                                                           * 2

---- Registry - GMER 2.1 ----

Reg       HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf4c8a7c8                                                                   
Reg       HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf4c8a7c8@68092774b8b3                                                      0xC4 0x7A 0x17 0x6B ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf4c8a7c8@98fe947c6cb3                                                      0x23 0x5A 0x75 0x0D ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch                                                                              3836
Reg       HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf4c8a7c8 (not active ControlSet)                                               
Reg       HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf4c8a7c8@68092774b8b3                                                          0xC4 0x7A 0x17 0x6B ...
Reg       HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf4c8a7c8@98fe947c6cb3                                                          0x23 0x5A 0x75 0x0D ...

---- EOF - GMER 2.1 ----

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 WebDawg

WebDawg
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 31 August 2013 - 01:38 PM

I do understand that:

 

.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                         0000000073ce1a22 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                         0000000073ce1ad0 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                         0000000073ce1b08 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730                                                         0000000073ce1bba 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762                                                         0000000073ce1bda 2 bytes [CE, 73]

 

is part of computrace and that is fine.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users