Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Suspected rootkit [Solved]


  • This topic is locked This topic is locked

#16
nitts99

nitts99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK, I ran that program.

Thanks for all your help, very much appreciated!! But I'm a little confused--is the system clean? At one point you said there was no evidence of malware, but there *was* evidence of a rootkit. Did we solve that? If so, at which point?

I ran GMER's Catchme again, and it still shows the modified NTDLL--is there anything to be concerned about?
  • 0

Advertisements


#17
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

is the system clean?

Yes!

there *was* evidence of a rootkit. Did we solve that? If so, at which point?

Proved it was a normal file and not a rootkit during the run of TDSSKiller.

I ran GMER's Catchme again, and it still shows the modified NTDLL--is there anything to be concerned about?

aswMBR is a later product of GMER. The file it showed is not a rootkit but something that needed to be investigated which we did with aswMBR and TDSSKiller and it was clean.

Regards,

CompCav
  • 0

#18
nitts99

nitts99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
TDSSKiller?

I looked through the instructions and I didn't see that one. Was it part of the other tools? Otherwise I don't think I ran that one?
  • 0

#19
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Here it is, my mistake :blush: :

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • Get the report by selecting Reports

    Posted Image

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
  • 0

#20
nitts99

nitts99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK, I did that and it only found a couple suspicious things that weren't actually suspicious (Crashplan & Box.net).

So any thoughts on the modified boot record? Still leaves me a bit uneasy.
  • 0

#21
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

So any thoughts on the modified boot record?

What brand and model is your computer?
  • 0

#22
nitts99

nitts99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Self-built. Windows 7 home premium that was upgraded to Pro via MS.
  • 0

#23
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Excellent!

OK here is what we can do:

Step 1.

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

But this time select no scan instead of quickscan before clicking scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

If it does not run rename it iexplore.exe and try it again.

Then zip up the mbr.dat file and attach it to your next post. I can analyze it in detail and see what we need to do if anything.

:thumbsup:
  • 0

#24
nitts99

nitts99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks again.
Attached.

Attached Files

  • Attached File  MBR.zip   1.41KB   35 downloads

  • 0

#25
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
I have completed a detailed analysis of your master boot record and there is absolutely no evidence of a rootkit in it or any other malware for that matter.

However, I know the catchme ARK scanner log has given you some concerns. During our formal training and even now we continue to monitor all the developments in malware and especially the area of rootkits. Here is our response to those concerns that we know will alleviate your concerns:

Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.



Regards,

CompCav
  • 0

Advertisements


#26
nitts99

nitts99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Awesome, thanks!
  • 0

#27
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP