Author Topic: some PUM DNS found  (Read 13255 times)

0 Members and 1 Guest are viewing this topic.

December 11, 2014, 03:35:32 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
some PUM DNS found
« on: December 11, 2014, 03:35:32 pm »
I ran latest roguekiller version today and it found some pum dns. Log attached below.
It might be worth mentioning that my internet had been very unstable today, I was able to run Steam and Skype and other such programs but I was unable to load any internet page.  I'm not sure if this could be related but anyway.
Can I get some clearance here, please?




RogueKiller V10.1.0.0 (x64) [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Alex [Administrator]
Mode : Scan -- Date : 12/11/2014  15:28:42

Processes : 0

Registry : 2
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F9DFA091-EE4C-4E93-8FE1-0316941911F3} | DhcpNameServer : 7.254.254.254 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F9DFA091-EE4C-4E93-8FE1-0316941911F3} | DhcpNameServer : 7.254.254.254 [UNITED STATES (US)]  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 7 (Driver: Loaded)
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CREATE[0] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_POWER[22] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_PNP[27] : Unknown @ 0x5bc002c0

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: SAMSUNG HD103SI +++++
--- User ---
[MBR] 37345cd71e41256344dce83f23e3d943
[BSP] d2c032d2125283caa119df8964ce8bd7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 923516 MB
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1892079616 | Size: 350 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1892796416 | Size: 29651 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD2002FAEX-007BA0 +++++
--- User ---
[MBR] 1e5e6ffb562d75a94caff1a57a5f48ca
[BSP] 56eea2c0bc00d01469255301e21a3c32 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1857727 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): -490340352 | Size: 49999 MB
User = LL1 ... OK
User = LL2 ... OK

Reply #1December 11, 2014, 03:59:33 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #1 on: December 11, 2014, 03:59:33 pm »
Are those PUM DNS dangerous? I've no idea how it got there. I don't live in the US by the way.

Reply #2December 11, 2014, 04:47:16 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #2 on: December 11, 2014, 04:47:16 pm »
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_CREATE[0] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_CLOSE[2] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_POWER[22] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_PNP[27] : Unknown @ 0xee6172c0

New entries in antirootkit tab found

Reply #3December 12, 2014, 08:44:10 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 947
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: some PUM DNS found
« Reply #3 on: December 12, 2014, 08:44:10 am »
Hello

If you don't live in the US, that's suspicious.
I'd fix them.

I'm also concerned about IRP hooks, then point to a shellcode, which is unusual.
Can you scan with Malwarebytes Anti-Rootkit?

Reply #4December 12, 2014, 12:19:06 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #4 on: December 12, 2014, 12:19:06 pm »
Hello. I did some research and I found out that this IP belongs to Tunngle program so it should be legit.
Anti Rootkit found nothing.
RogueKiller scan now shows mountmgr.sys as a hooked driver, WMILIB.sys was only a one time thing. It also shows a lot of green legit mountmgr entries, perhaps you forgot to whitelist the orange ones?

Reply #5December 12, 2014, 12:30:58 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #5 on: December 12, 2014, 12:30:58 pm »
By the way, I scanned both of those sys. files on VirusTotal and it didn't find anything. I'm not sure if that can somehow relate but WMILIB.sys doesn't have caps in its name but RogueKiller shows it in caps. Perhaps 2 different files??

Reply #6December 12, 2014, 02:44:52 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 947
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: some PUM DNS found
« Reply #6 on: December 12, 2014, 02:44:52 pm »
mountmgr.sys is the hooked module. We're here looking for the hooking module, which here is unknown.
That's why I'm concerned, it's hidden.

Reply #7December 12, 2014, 03:08:17 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #7 on: December 12, 2014, 03:08:17 pm »
Okay, do you know anything I could do?
I searched the adlice forums for mountmgr.sys file and I see a plenty of users have this file hooked.
http://forum.adlice.com/index.php?topic=176.msg618#msg618
Here you said that this looks legit


EDIT2:
After restart all the mountmgr.sys entries (even green ones) are now gone. Instead I see a similar detection pattern but with another file.

[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_CREATE[0] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_CLOSE[2] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_POWER[22] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_PNP[27] : Unknown @ 0x450172c0
« Last Edit: December 12, 2014, 04:31:28 pm by nitrousable »

Reply #8December 12, 2014, 05:30:19 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 947
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: some PUM DNS found
« Reply #8 on: December 12, 2014, 05:30:19 pm »
Yep, please.

Quote
Can you scan with Malwarebytes Anti-Rootkit?

Reply #9December 12, 2014, 05:45:49 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #9 on: December 12, 2014, 05:45:49 pm »
Yep, please.

Quote
Can you scan with Malwarebytes Anti-Rootkit?
Just scanned one more time, nothing was found.

Reply #10December 13, 2014, 07:33:16 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 947
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: some PUM DNS found
« Reply #10 on: December 13, 2014, 07:33:16 am »
Mmh.
Can you give a chance to Gmer?

Reply #11December 13, 2014, 11:12:59 am

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #11 on: December 13, 2014, 11:12:59 am »
Log attached below

Reply #12December 17, 2014, 03:25:52 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #12 on: December 17, 2014, 03:25:52 pm »
Did you read the logs Tigzy?

Reply #13December 19, 2014, 04:08:36 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 947
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: some PUM DNS found
« Reply #13 on: December 19, 2014, 04:08:36 pm »
If you uninstall deamon tools, do you see the same lines in RogueKiller?
And also that line in Gmer:
Trace   ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe001c62192c0]<< sptd.sys storport.sys hal.dll storahci.sys                                 ffffe001c62192c0

Reply #14December 19, 2014, 05:38:10 pm

nitrousable

  • Newbie

  • Offline
  • *

  • 38
  • Reputation:
    0
    • View Profile
Re: some PUM DNS found
« Reply #14 on: December 19, 2014, 05:38:10 pm »
Hello again Tigzy! So uninstalled the Daemon Tools as you told me to, but after reboot these lines stayed. I ran gmer and noticed that sptd.sys was still running and sptd.sys is a part of Daemon Tools driver. So I ran the sptd installer and uninstalled it and rebooted once again. Now RogueKiller shows clean results! Since green results don't show in logs, I attached them in the picture below. Learn something every day! Thank you very much for pointing out the culprit, you've been of great help! One of the best antimalware engineers out there :)