Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Undetectable malware on 7 scanners


  • Please log in to reply

#1
Dojo

Dojo

    New Member

  • Member
  • Pip
  • 3 posts
I have no idea where I picked it up.

What it does is, whenever I open a web browser and go to a site, it will throw up a popup ad. Usually a 640x480 or larger. It will do this on sites where there are NO popups, like google.com. (Internet Explorer's little "popup was not blocked" icon doesn't appear.)

It doesn't do it every time, only intermittintly.

It does it regardless what browser I use (FireFox, IE, Netscape).

Steps taken so far (latest versions and definitions for everything):

- Scandisk
- Ad-aware
- Spybot Search & Destroy
- HiJack This, report analyzed on hijackthis.de
- McAfee VirusScan
- avast! Antivirus
- Microsoft AntiSpyware
- XoftSpy
- Spy Sweeper
- Windows Update (verified all latest updates installed)
- Checked HOSTS & LMHOSTS

EVERYTHING gives me a "clean" scan report. Task Manager and services show nothing unusual running. HiJack This doesn't show anything in "ADS" (alternate data streams).

Anyone ever heard of anything like this?

Here is an example of one of the (ironic) ads:

Posted Image

Here's my HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:33 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\Explorer.EXE
E:\DU Meter\DUMeter.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\PopUp Killer\PopUpKiller.exe
E:\HijackThis 1.99.1\HijackThis.exe
C:\WINDOWS\Explorer.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\clison\Application Data\Mozilla\Profiles\default\9j4akad8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\clison\Application Data\Mozilla\Profiles\default\9j4akad8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - E:\MACROE~1\iCapture.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - E:\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\McAfee VirusScan 7\VSCShellExtension.dll
O4 - HKLM\..\Run: [PopUpKiller] E:\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [DU Meter] E:\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Sound Blaster Live!\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ProtoWall] E:\Protowall\ProtoWall.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &NeoTrace It! - E:\NEOTRA~1.25\NTXcontext.htm
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\system32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\system32\link.htm
O8 - Extra context menu item: Download with GetRight - E:\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Liatro SWF Decoder Catch - E:\Liatro SWF Decoder 4.6\swfcatch.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Decompiler - E:\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - E:\NEOTRA~1.25\NTXtoolbar.htm (HKCU)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - E:\pcAnywhere 11.5\awhost32.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Diskeeper Professional\DkService.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - E:\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: PDEngine - Raxco Software, Inc. - E:\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - E:\PerfectDisk\PDSched.exe

Here's the WinSock LSP log from Spybot Search & Destroy:

--- Spybot - Search & Destroy version: 1.4  (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-07-31 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-10-14 Includes\Cookies.sbi
2005-10-14 Includes\Dialer.sbi
2005-10-14 Includes\Hijackers.sbi
2005-10-14 Includes\Keyloggers.sbi
2005-10-14 Includes\Malware.sbi
2005-10-14 Includes\PUPS.sbi
2005-10-14 Includes\Revision.sbi
2005-10-14 Includes\Security.sbi
2005-10-14 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-10-14 Includes\Trojans.sbi

Protocol  0: McAfee_GdLsp [MSAFD Tcpip [TCP/IP]]
        GUID: {2D6A1DE3-767B-41CB-B506-8B572B58237E}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  1: McAfee_GdLsp [MSAFD Tcpip [UDP/IP]]
        GUID: {D2B29C27-14CD-4E49-9AE5-E4100993EF1E}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  2: McAfee_GdLsp [MSAFD Tcpip [RAW/IP]]
        GUID: {11387A14-BD7E-48C1-8CD6-B77FFE0C28F0}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  3: McAfee_GdLsp [RSVP UDP Service Provider]
        GUID: {C2111C9E-D154-4499-B3A7-44DE6F385DA6}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  4: McAfee_GdLsp [RSVP TCP Service Provider]
        GUID: {4507D722-BDBE-427B-940D-3DB5844EB1A7}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  5: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{ED478FE1-3C83-40C7-AFA4-C5CF9E889811}] SEQPACKET 0]
        GUID: {992C34EA-B47B-4D06-AD32-A1B55A348DF0}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  6: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{ED478FE1-3C83-40C7-AFA4-C5CF9E889811}] DATAGRAM 0]
        GUID: {934041F7-F116-45EC-8E6E-B7EFF1BA59A6}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  7: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F5DBC3F-2F8D-4391-9757-DE2F7BD0EC54}] SEQPACKET 1]
        GUID: {AFDCA131-4010-47D3-9B91-3F62B94C7BF0}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  8: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F5DBC3F-2F8D-4391-9757-DE2F7BD0EC54}] DATAGRAM 1]
        GUID: {94488A97-062B-48BD-B495-18D1282F431F}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol  9: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DB80ECC-705A-400C-929F-3C27D8A8EED3}] SEQPACKET 2]
        GUID: {FCB815BD-9942-4CE6-A40F-B71A0FC147AB}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol 10: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DB80ECC-705A-400C-929F-3C27D8A8EED3}] DATAGRAM 2]
        GUID: {D4F528D8-5185-41DA-90A4-CB3D6E305FEE}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol 11: McAfee_GdLsp [MSAFD Pgm (RDM)]
        GUID: {BA53CC7F-5E4C-4936-B0EA-AD625E8A9378}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol 12: McAfee_GdLsp [MSAFD Pgm (Stream)]
        GUID: {9E750A81-F460-445A-908F-824830BEA6BB}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Protocol 13: MSAFD Tcpip [TCP/IP]
        GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP IP protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD Tcpip [*]

Protocol 14: MSAFD Tcpip [UDP/IP]
        GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP IP protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD Tcpip [*]

Protocol 15: MSAFD Tcpip [RAW/IP]
        GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP IP protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD Tcpip [*]

Protocol 16: RSVP UDP Service Provider
        GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
 Description: Microsoft Windows NT/2k/XP RVSP
 DB filename: %SystemRoot%\system32\rsvpsp.dll
 DB protocol: RSVP * Service Provider

Protocol 17: RSVP TCP Service Provider
        GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
 Description: Microsoft Windows NT/2k/XP RVSP
 DB filename: %SystemRoot%\system32\rsvpsp.dll
 DB protocol: RSVP * Service Provider

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ED478FE1-3C83-40C7-AFA4-C5CF9E889811}] SEQPACKET 0
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ED478FE1-3C83-40C7-AFA4-C5CF9E889811}] DATAGRAM 0
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F5DBC3F-2F8D-4391-9757-DE2F7BD0EC54}] SEQPACKET 1
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F5DBC3F-2F8D-4391-9757-DE2F7BD0EC54}] DATAGRAM 1
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DB80ECC-705A-400C-929F-3C27D8A8EED3}] SEQPACKET 2
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DB80ECC-705A-400C-929F-3C27D8A8EED3}] DATAGRAM 2
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD Pgm (RDM)
        GUID: {8C108B26-0ECB-4718-B5BC-B74FCB130B9B}
    Filename: %SystemRoot%\system32\mswsock.dll

Protocol 25: MSAFD Pgm (Stream)
        GUID: {8C108B26-0ECB-4718-B5BC-B74FCB130B9B}
    Filename: %SystemRoot%\system32\mswsock.dll

Protocol 26: McAfee_GdLsp
        GUID: {4D7DC2C0-7807-11D6-A9EA-00045A6B76C2}
    Filename: C:\WINDOWS\System32\CSLSP.DLL

Namespace Provider  0: Tcpip
        GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: TCP/IP

Namespace Provider  1: NTDS
        GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
 Description: Microsoft Windows NT/2k/XP name space provider
 DB filename: %SystemRoot%\system32\winrnr.dll
 DB protocol: NTDS

Namespace Provider  2: Network Location Awareness (NLA) Namespace
        GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP name space provider
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: NLA-Namespace

Edited by Dojo, 21 October 2005 - 05:31 AM.

  • 0

Advertisements


#2
Dojo

Dojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I found my problem. I was rootkit'd... BIGTIME.

http://tommycatkins....otkitReveal.txt

HKLM\SOFTWARE\CqXO2AErJN65	10/18/2005 2:03 PM	0 bytes	Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Recover My Files	7/17/2005 12:28 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROTECTEDSTORAGE	3/3/2003 8:02 PM	0 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_QL1NMDD	10/18/2005 2:03 PM	0 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\ql1240	3/3/2003 8:05 PM	0 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\ql1nmdd	10/20/2005 7:24 PM	0 bytes	Hidden from Windows API.
C:\Program Files\Htmtware	10/21/2005 12:00 AM	0 bytes	Hidden from Windows API.
C:\Program Files\Htmtware\ace.dll	10/18/2005 2:03 PM	568.00 KB	Hidden from Windows API.
C:\Program Files\Htmtware\AI_18-10-2005.log	10/18/2005 2:03 PM	3 bytes	Hidden from Windows API.
C:\Program Files\Htmtware\AI_19-10-2005.log	10/19/2005 12:00 AM	3 bytes	Hidden from Windows API.
C:\Program Files\Htmtware\AI_20-10-2005.log	10/20/2005 12:05 AM	3 bytes	Hidden from Windows API.
C:\Program Files\Htmtware\AI_21-10-2005.log	10/21/2005 12:01 AM	3 bytes	Hidden from Windows API.
C:\Program Files\Htmtware\Cache	10/21/2005 1:29 AM	0 bytes	Hidden from Windows API.
C:\Program Files\Htmtware\Cache\00000029_4355aa81_0003f411	10/20/2005 7:33 PM	17.92 KB	Hidden from Windows API.

[edited for size/length, a large number of files and folders were present in the "Cache" folder.]

C:\Program Files\Htmtware\Cache\dns	10/21/2005 2:20 AM	64.71 KB	Hidden from Windows API.
C:\Program Files\Htmtware\Cache\index	10/21/2005 2:20 AM	77.11 KB	Hidden from Windows API.
C:\Program Files\Htmtware\data.bin	10/18/2005 2:03 PM	114.14 KB	Hidden from Windows API.
C:\Program Files\Htmtware\lmmestrt.exe	10/20/2005 7:02 AM	912.00 KB	Hidden from Windows API.
C:\Program Files\Htmtware\WinGenerics.dll	10/18/2005 2:03 PM	576.00 KB	Hidden from Windows API.
C:\Program Files\Htmtware\wsoquery.exe	10/18/2005 2:03 PM	160.00 KB	Hidden from Windows API.
C:\WINDOWS\system32\drivers\ctomspqm.sys	10/18/2005 2:03 PM	12.00 KB	Hidden from Windows API.
C:\WINDOWS\system32\svcmsscp.exe	10/18/2005 2:03 PM	460.00 KB	Hidden from Windows API.

A Google search for ctomspqm.sys, svcmsscp.exe, and htmtware revealed nothing. However, a search for WinGenerics.dll revealed that this indeed was a rootkit version of the 2nd-Thought trojan. The rootkit's ability to hide from the Windows API at the kernal level enabled it to evade detection on at least eight scanners. One of them - Spy Sweeper - was even advertised as being able to detect rootkits. It clearly missed this one. (I had also tried Trojan Hunter.)

I was able to click "start," run," and "c:\progra~1\htmtware". This opened the directory. I was able to delete all but 4 files, revealing that they were indeed running but not showing up to Windows. I reset the machine without shutting down and booted up to msdos 6.22 using a floppy. I then loaded Systernals NTFS DOS, and was able to delete the htmtware directory along with its remaining 4 files (this is basically like using a Windows boot CD or ERD Commander). I was also able to delete the ctomspqm.sys and svcmsscp.exe files.

After rebooting, I was able to use a .reg file to delete the HKLM\SOFTWARE\CqXO2AErJN65 key ([-HKEY_LOCAL_MACHINE\Software\CqXO2AErJN65]).

After running a scandisk on C:\ and another reboot, RootkitRevealer finally gave me a clean scan. The remaining registry keys went away on their own.

Clearly, this reveals a whole new level of security compromise. I particularly find this little bit of info disturbing:


Can a Rootkit hide from RootkitRevealer?

It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.

Is there a sure-fire way to know of a rootkit's presence?

In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer, can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.


Antivirus and Antispyware scanners at this point are obviously unfit to deal with rootkits. There will have to be some serious overhauling to these programs in order for them to deal with an infection like this. Likewise, there will need to be a major Windows update as well.

Take note!

Edited by Dojo, 21 October 2005 - 05:27 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP