Rootkit

Discussion in 'Malware Help (A Specialist Will Reply)' started by caben, Jun 1, 2013.

  1. caben

    caben Private E-2

    About a year ago a "friend" installed a rootkit he had written himself on my machine for "testing". Features include him being able to turn my monitor off and on and input text into a notepad file i have open on my screen. My network sharing settings also always get reset to On regardless of me changing them back.

    He claimed it loaded itself into MBR - true? Don't know. But CatchMe (http://www.gmer.net/, a rootkit detector) reports:

    ----------------------------
    disk not found C:\

    please note that you need administrator rights to perform deep scan

    detected NTDLL code modification:
    ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error
    ----------------------------

    No, I cannot contact him for information about this issue (sorry). I performed all the steps in the readme first thread and have attached the requisite logs. So far I've had very little luck in detecting and cleaning a virus that isn't currently known.
     

    Attached Files:

    caben, Jun 1, 2013
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    MGTools did not run correctly. Could you please run it again to see if it produces a set of complete, updated logs? Thanks.
     
    Kestrel13!, Jun 1, 2013
    #2
  3. caben

    caben Private E-2

    Ok, ran it again with my AV and firewall disabled. Results are in the attachment.
     

    Attached Files:

    caben, Jun 1, 2013
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Looks like a beautifully clean computer. :)

    C:\xyz <--- I presume this is a directory you created?
     
    Kestrel13!, Jun 2, 2013
    #4
  5. caben

    caben Private E-2

    Yes, that's from me.
     
    caben, Jun 2, 2013
    #5
  6. caben

    caben Private E-2

    Sorry, I am still experiencing the symptoms as well, if that wasn't clear.
     
    caben, Jun 2, 2013
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can ask about the Network sharing in the Networking forum. Your logs look very clean to me, however, to cover all bases, let's have you run another anti rootkit scanner. Plus another scanner.

    Download and run Sophos anti rootkit


    Run this and attach the results.

    Using ESET's Online Scanner
     
    Kestrel13!, Jun 3, 2013
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds