3 Replies Latest reply on Jul 19, 2011 8:23 AM by paullotion

    Rootkit Detection - Need expert assistance

      I've had some indication of rootkit activitiy on one of our PCs. I need answers to the following questions:

       

      1) Based on the reports below, is there a rootkit on our system?

      2) Can the rootkit be cleaned without having to format the PC and reinstall Windows? If so, should I run the delete processes on RootKit Detective or RootRepeal?

      3) I have a new PC that I want to move My Documents files and Favorites/Firefox Bookmarks, etc. to. Should those files be safe?

      4) I have a backup drive (one that started malfunctioning just before the rootkit activity) with files from #3 on it. Should that drive be safe?

       

      I've run RootKit Detective and it came back with one hidden registry key/value:

       

      HKLM\SOFTWARE\Classes\MfxSoftSynths\{89D244AB-19CF-4575-B859-E6C2352BE0D4}

       

      46 Hooked Services starting with Zw and running through C:\Windows\system32\drivers\aswSrix.sys and C:\Windows\system32\drivers\aswSP.sys

       

      and six different hooked exports:

       

      Export : Function : USER32.dll!SetWindowsHookExW => 00390000 + 0x804

      Export : Function : USER32.dll!SetWindowsHookExA => 00390000 + 0x600

      Export : Function : ADVAPI32.dll!SetSerivceObjectSecurity => 00380000 + 0x1014

      Export : Function : ADVAPI32.dll!RegOpenKeyA => 002C0000 + 0xfef

      Export : Function : ADVAPI32.dll!CreateServiceW => 00380000 + 0x3fc

      Export : Function : ADVAPI32.dll!CreateServiceA => 00380000 + 0x1f8

       

      I've also run RootRepeal and gotten the following Report:

       

      ROOTREPEAL (c) AD, 2007-2009
      ==================================================
      Scan Start Time:  2011/07/15 21:41
      Program Version:  Version 1.3.5.0
      Windows Version:  Windows XP SP3
      ==================================================

      Drivers
      -------------------
      Name: aswTdi.SYS
      Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
      Address: 0xF76C2000 Size: 35072 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: atapi.sys
      Image Path: atapi.sys
      Address: 0xF7286000 Size: 96512 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: Cdfs.SYS
      Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
      Address: 0xAB68E000 Size: 63744 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: dump_iastor.sys
      Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
      Address: 0xAB107000 Size: 872448 File Visible: No Signed: -
      Status: -

      Name: Fs_Rec.SYS
      Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
      Address: 0xF7A8C000 Size: 7936 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: iaStor.sys
      Image Path: iaStor.sys
      Address: 0xF729E000 Size: 871040 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: mrxdav.sys
      Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
      Address: 0xA97C2000 Size: 180608 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: mrxsmb.sys
      Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
      Address: 0xED982000 Size: 456320 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: Mup.sys
      Image Path: Mup.sys
      Address: 0xF70E0000 Size: 105472 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: Ntfs.sys
      Image Path: Ntfs.sys
      Address: 0xF7127000 Size: 574976 File Visible: - Signed: -
      Status: Hidden from the Windows API!

      Name: rootrepeal.sys
      Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
      Address: 0xA954B000 Size: 49152 File Visible: No Signed: -
      Status: -

      Hidden/Locked Files
      -------------------
      Path: c:\windows\temp\etilqs_emavntadba0qit72m77f
      Status: Allocation size mismatch (API: 8192, Raw: 0)

      Path: c:\windows\temp\etilqs_ykumyhgwfrqkpytepxto
      Status: Allocation size mismatch (API: 16384, Raw: 0)

      Path: c:\documents and settings\clint\local settings\temp\~df97c9.tmp
      Status: Allocation size mismatch (API: 24576, Raw: 0)

      Path: c:\documents and settings\clint\local settings\temp\~dfdc3d.tmp
      Status: Allocation size mismatch (API: 16384, Raw: 0)

      SSDT
      -------------------
      #: 009 Function Name: NtAddBootEntry
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db202

      #: 017 Function Name: NtAllocateVirtualMemory
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xed941d8c

      #: 025 Function Name: NtClose
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ff6c1

      #: 035 Function Name: NtCreateEvent
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd7f0

      #: 036 Function Name: NtCreateEventPair
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd848

      #: 038 Function Name: NtCreateIoCompletion
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd95e

      #: 041 Function Name: NtCreateKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ff075

      #: 043 Function Name: NtCreateMutant
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd746

      #: 050 Function Name: NtCreateSection
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd898

      #: 051 Function Name: NtCreateSemaphore
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd79a

      #: 054 Function Name: NtCreateTimer
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd90c

      #: 061 Function Name: NtDeleteBootEntry
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db226

      #: 063 Function Name: NtDeleteKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ffd87

      #: 065 Function Name: NtDeleteValueKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed90003d

      #: 068 Function Name: NtDuplicateObject
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ddbe2

      #: 071 Function Name: NtEnumerateKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ffbf2

      #: 073 Function Name: NtEnumerateValueKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ffa5d

      #: 083 Function Name: NtFreeVirtualMemory
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xed941e3c

      #: 097 Function Name: NtLoadDriver
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8daff0

      #: 109 Function Name: NtModifyBootEntry
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db24a

      #: 111 Function Name: NtNotifyChangeKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ddd56

      #: 112 Function Name: NtNotifyChangeMultipleKeys
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dbcda

      #: 114 Function Name: NtOpenEvent
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd820

      #: 115 Function Name: NtOpenEventPair
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd870

      #: 117 Function Name: NtOpenIoCompletion
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd988

      #: 119 Function Name: NtOpenKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ff3d1

      #: 120 Function Name: NtOpenMutant
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd772

      #: 122 Function Name: NtOpenProcess
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dda1a

      #: 125 Function Name: NtOpenSection
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd8d8

      #: 126 Function Name: NtOpenSemaphore
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd7c8

      #: 128 Function Name: NtOpenThread
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ddafe

      #: 131 Function Name: NtOpenTimer
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dd936

      #: 137 Function Name: NtProtectVirtualMemory
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xed941ed4

      #: 160 Function Name: NtQueryKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ff8d8

      #: 163 Function Name: NtQueryObject
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8dbba0

      #: 177 Function Name: NtQueryValueKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ff72a

      #: 192 Function Name: NtRenameKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xed94a10e

      #: 204 Function Name: NtRestoreKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8fe6e8

      #: 211 Function Name: NtSetBootEntryOrder
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db26e

      #: 212 Function Name: NtSetBootOptions
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db292

      #: 240 Function Name: NtSetSystemInformation
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db04a

      #: 241 Function Name: NtSetSystemPowerState
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db186

      #: 247 Function Name: NtSetValueKey
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8ffe8e

      #: 249 Function Name: NtShutdownSystem
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db162

      #: 255 Function Name: NtSystemDebugControl
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db1aa

      #: 268 Function Name: NtVdmControl
      Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xed8db2b6

      ==EOF==

       

      Appreciate the assistance.

        • 1. Re: Rootkit Detection - Need expert assistance

          Hello -

           

          In answer to your questions:

           

          1. No, from what i can see in the reports.

          2. Yes, the only time a format is the only action to take is with PE file infectors, such as Virut, Rammit, Sailty ect.. You can delete those process from those ARK tools if you wish.

          3. From looking at the logs there is no rootkit activity - so your files are safe.

          4. How do you know that PC has a Rootkit, it could just as well be hardware/software/driver conflict.

          1 of 1 people found this helpful
          • 2. Re: Rootkit Detection - Need expert assistance

            We had seen some Google redirects and host changes previously. We ran anti-virus, anti-spyware (Malbytes) and the activity didn't stop. Apparently a combination of Avast and some speciality tools got it.  Glad to get a clean bill of health and this checks out with what I've read as well.

             

            Thanks!

            • 3. Re: Rootkit Detection - Need expert assistance

              Glad to hear all is well again. Redirects are not always a sign of rootkit infection - it could also have been Trojan.Click and/or Trojan.Hosts variants.

               

              Since this topic is resolved, i shall lock this thread.