Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New SST Rootkit


  • This topic is locked This topic is locked
4 replies to this topic

#1 Alfredo_Benni

Alfredo_Benni

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 18 December 2013 - 06:21 PM

Hi, I have a problem:

NOD32, Kaspersky, BitDefender, Malwarebytes, Superantispyware, all these do not find anything.

The log ComboFix:

What can I do?

ComboFix 13-12-17.02 - Administrator 18/12/2013  11:13:51.1.1 - x86 NETWORK
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.39.1040.18.2047.1667 [GMT 1:00]
Eseguito da: c:\users\Administrator\Desktop\aftredk.exe
AV: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Creato nuovo punto di ripristino
.
.
(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\pt
c:\windows\system32\pt\AuthFWSnapIn.Resources.dll
c:\windows\system32\pt\AuthFWWizFwk.Resources.dll
c:\windows\system32\pt\Narrator.resources.dll
.
.
(((((((((((((((((((((((((   Files Creati Da 2013-11-18 al 2013-12-18  )))))))))))))))))))))))))))))))))))
.
.
2013-12-11 14:57 . 2013-12-11 14:58    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-12-10 23:08 . 2013-05-10 04:56    12625408    ----a-w-    c:\windows\system32\wmploc.DLL
2013-12-10 23:08 . 2013-05-10 03:48    164864    ----a-w-    c:\program files\Windows Media Player\wmplayer.exe
2013-12-10 23:04 . 2013-11-12 02:07    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-12-10 23:03 . 2013-11-23 18:26    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-12-10 23:03 . 2013-10-19 01:36    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-10 23:03 . 2013-10-12 02:04    121856    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-10 23:03 . 2013-10-12 02:03    163840    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-10 23:03 . 2013-10-12 01:15    141824    ----a-w-    c:\windows\system32\wscript.exe
2013-12-10 23:03 . 2013-10-12 01:15    126976    ----a-w-    c:\windows\system32\cscript.exe
2013-12-10 23:03 . 2013-10-30 02:19    301568    ----a-w-    c:\windows\system32\msieftp.dll
2013-12-10 23:01 . 2013-10-04 01:49    81408    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-10 23:01 . 2013-10-04 01:17    177152    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-10 23:01 . 2013-10-30 01:27    2349056    ----a-w-    c:\windows\system32\win32k.sys
2013-12-10 12:30 . 2013-12-10 12:30    --------    d-----w-    c:\users\Administrator
2013-12-05 16:29 . 2013-12-05 16:29    --------    d-----w-    c:\users\Amministratore\AppData\Local\Comodo
2013-12-05 16:29 . 2013-12-05 16:29    --------    d-----w-    C:\first_launch
2013-12-05 10:56 . 2013-12-11 19:23    --------    d-----w-    c:\program files\Unlocker
2013-12-05 09:43 . 2013-12-05 09:43    --------    d-----w-    c:\users\Amministratore\AppData\Roaming\QuickScan
2013-12-05 09:32 . 2013-12-05 09:32    --------    d-----w-    c:\users\Amministratore\AppData\Roaming\vlc
2013-12-05 09:15 . 2013-12-11 17:16    --------    d-----w-    C:\Indagine
2013-12-05 09:07 . 2013-12-11 19:19    --------    d-----w-    C:\Sicurezza
2013-12-04 14:11 . 2013-12-04 14:11    --------    d-----w-    c:\users\Amministratore\AppData\Local\NVIDIA
2013-12-04 14:03 . 2013-11-14 11:57    955168    ----a-w-    c:\windows\system32\nvspcap.dll
2013-12-04 14:02 . 2013-12-04 14:02    --------    d-----w-    c:\program files\AGEIA Technologies
2013-12-04 14:01 . 2013-12-05 14:34    --------    d-----w-    c:\users\UpdatusUser
2013-12-04 13:54 . 2013-12-04 13:54    --------    d-----w-    C:\NVIDIA
2013-12-04 11:11 . 2013-12-04 11:11    --------    d-----w-    c:\users\Amministratore\AppData\Local\Macromedia
2013-12-04 10:42 . 2013-12-04 10:42    --------    d-----w-    c:\users\Amministratore\AppData\Roaming\TeamViewer
2013-12-01 12:06 . 2013-12-01 12:06    --------    d-----w-    c:\program files\TeamViewer
2013-12-01 11:18 . 2013-12-01 11:18    --------    d-----w-    c:\windows\Migration
2013-12-01 11:11 . 2013-09-04 01:15    258560    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-12-01 11:11 . 2013-09-04 01:14    76288    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-12-01 11:11 . 2013-09-04 01:14    284672    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-12-01 11:11 . 2013-09-04 01:14    43008    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-12-01 11:11 . 2013-09-04 01:14    20480    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-12-01 11:11 . 2013-09-04 01:14    24064    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-12-01 11:11 . 2013-09-04 01:14    6016    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-11-22 00:44 . 2013-11-22 00:44    --------    d-----w-    c:\users\Pinotti\AppData\Local\Microsoft Help
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-14 11:57 . 2013-04-14 01:03    53024    ----a-w-    c:\windows\system32\OpenCL.dll
2013-11-14 11:57 . 2009-07-13 22:09    15862272    ----a-w-    c:\windows\system32\nvwgf2um.dll
2013-11-14 11:57 . 2013-02-25 22:22    2697248    ----a-w-    c:\windows\system32\nvapi.dll
2013-11-11 14:26 . 2013-04-14 01:03    3036960    ----a-w-    c:\windows\system32\nvsvc.dll
2013-11-11 14:26 . 2013-04-14 01:03    4321056    ----a-w-    c:\windows\system32\nvcpl.dll
2013-11-11 14:26 . 2013-04-14 01:03    664352    ----a-w-    c:\windows\system32\nvvsvc.exe
2013-11-11 14:26 . 2013-04-14 01:03    62752    ----a-w-    c:\windows\system32\nvshext.dll
2013-11-11 14:26 . 2013-04-14 01:03    2555168    ----a-w-    c:\windows\system32\nvsvcr.dll
2013-11-11 14:26 . 2013-04-14 01:03    209184    ----a-w-    c:\windows\system32\nvmctray.dll
2013-11-11 07:59 . 2013-11-11 07:59    590112    ----a-w-    c:\windows\system32\nvStreaming.exe
2013-10-24 17:19 . 2012-11-29 11:46    86888    ----a-w-    c:\windows\system32\LMIRfsClientNP.dll
2013-10-24 17:19 . 2012-11-29 11:46    53064    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-10-24 17:19 . 2012-11-29 11:46    31560    ----a-w-    c:\windows\system32\LMIport.dll
2013-10-24 17:19 . 2012-11-29 11:46    85832    ----a-w-    c:\windows\system32\LMIinit.dll
2013-10-12 02:03 . 2013-11-13 00:50    656896    ----a-w-    c:\windows\system32\nshwfp.dll
2013-10-12 02:01 . 2013-11-13 00:50    679424    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-10-12 02:01 . 2013-11-13 00:50    216576    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2013-10-05 19:57 . 2013-11-13 00:50    1168384    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-04 01:58 . 2013-11-13 00:53    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2013-10-04 01:56 . 2013-11-13 00:53    168960    ----a-w-    c:\windows\system32\credui.dll
2013-10-04 01:56 . 2013-11-13 00:53    1796096    ----a-w-    c:\windows\system32\authui.dll
2013-10-03 01:58 . 2013-11-13 00:50    305152    ----a-w-    c:\windows\system32\gdi32.dll
2013-09-25 02:01 . 2013-11-13 00:50    136640    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-09-25 02:01 . 2013-11-13 00:50    67520    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2013-09-25 01:57 . 2013-11-13 00:50    99840    ----a-w-    c:\windows\system32\sspicli.dll
2013-09-25 01:57 . 2013-11-13 00:50    22016    ----a-w-    c:\windows\system32\secur32.dll
2013-09-25 01:57 . 2013-11-13 00:50    247808    ----a-w-    c:\windows\system32\schannel.dll
2013-09-25 01:56 . 2013-11-13 00:50    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2013-09-25 01:56 . 2013-11-13 00:50    1038848    ----a-w-    c:\windows\system32\lsasrv.dll
2013-09-25 00:49 . 2013-11-13 00:50    22016    ----a-w-    c:\windows\system32\lsass.exe
2013-09-25 00:49 . 2013-11-13 00:50    15872    ----a-w-    c:\windows\system32\sspisrv.dll
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.



BC AdBot (Login to Remove)

 


#2 Alfredo_Benni

Alfredo_Benni
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 18 December 2013 - 06:22 PM

The problem is very similar to:

http://www.bleepingcomputer.com/forums/t/517045/infected-with-rootkit-sst-b-some-apps-wont-run/



#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:57 PM

Posted 23 December 2013 - 03:09 PM

Hello and welcome to BleepingComputer! 
 
 
 
I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce. 
 
 
As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us. 
 
If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature). 
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.
 
 
 
Please generate other DDS logs (download it from here if you haven't already) and post them in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.
 
 
 
Thank you very much for your patience. 
 
 
 
 
Regards,
 
Elle

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:57 PM

Posted 28 December 2013 - 06:40 AM

Hi,

 

Do you still need help? Please let me know. 

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:57 PM

Posted 02 January 2014 - 07:29 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users