Adlice forum
Software feedback => RogueKiller => Topic started by: nitrousable on December 11, 2014, 03:35:32 PM
-
I ran latest roguekiller version today and it found some pum dns. Log attached below.
It might be worth mentioning that my internet had been very unstable today, I was able to run Steam and Skype and other such programs but I was unable to load any internet page. I'm not sure if this could be related but anyway.
Can I get some clearance here, please?
RogueKiller V10.1.0.0 (x64) [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Alex [Administrator]
Mode : Scan -- Date : 12/11/2014 15:28:42
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F9DFA091-EE4C-4E93-8FE1-0316941911F3} | DhcpNameServer : 7.254.254.254 [UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F9DFA091-EE4C-4E93-8FE1-0316941911F3} | DhcpNameServer : 7.254.254.254 [UNITED STATES (US)] -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CREATE[0] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_POWER[22] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x5bc002c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_PNP[27] : Unknown @ 0x5bc002c0
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SI +++++
--- User ---
[MBR] 37345cd71e41256344dce83f23e3d943
[BSP] d2c032d2125283caa119df8964ce8bd7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 923516 MB
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1892079616 | Size: 350 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1892796416 | Size: 29651 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: WDC WD2002FAEX-007BA0 +++++
--- User ---
[MBR] 1e5e6ffb562d75a94caff1a57a5f48ca
[BSP] 56eea2c0bc00d01469255301e21a3c32 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1857727 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): -490340352 | Size: 49999 MB
User = LL1 ... OK
User = LL2 ... OK
-
Are those PUM DNS dangerous? I've no idea how it got there. I don't live in the US by the way.
-
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_CREATE[0] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_CLOSE[2] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_POWER[22] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0xee6172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\WMILIB.SYS - IRP_MJ_PNP[27] : Unknown @ 0xee6172c0
New entries in antirootkit tab found
-
Hello
If you don't live in the US, that's suspicious.
I'd fix them.
I'm also concerned about IRP hooks, then point to a shellcode, which is unusual.
Can you scan with Malwarebytes Anti-Rootkit?
-
Hello. I did some research and I found out that this IP belongs to Tunngle program so it should be legit.
Anti Rootkit found nothing.
RogueKiller scan now shows mountmgr.sys as a hooked driver, WMILIB.sys was only a one time thing. It also shows a lot of green legit mountmgr entries, perhaps you forgot to whitelist the orange ones?
-
By the way, I scanned both of those sys. files on VirusTotal and it didn't find anything. I'm not sure if that can somehow relate but WMILIB.sys doesn't have caps in its name but RogueKiller shows it in caps. Perhaps 2 different files??
-
mountmgr.sys is the hooked module. We're here looking for the hooking module, which here is unknown.
That's why I'm concerned, it's hidden.
-
Okay, do you know anything I could do?
I searched the adlice forums for mountmgr.sys file and I see a plenty of users have this file hooked.
http://forum.adlice.com/index.php?topic=176.msg618#msg618
Here you said that this looks legit
EDIT2:
After restart all the mountmgr.sys entries (even green ones) are now gone. Instead I see a similar detection pattern but with another file.
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_CREATE[0] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_CLOSE[2] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_POWER[22] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x450172c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_PNP[27] : Unknown @ 0x450172c0
-
Yep, please.
Can you scan with Malwarebytes Anti-Rootkit?
-
Yep, please.
Can you scan with Malwarebytes Anti-Rootkit?
Just scanned one more time, nothing was found.
-
Mmh.
Can you give a chance to Gmer?
-
Log attached below
-
Did you read the logs Tigzy?
-
If you uninstall deamon tools, do you see the same lines in RogueKiller?
And also that line in Gmer:
Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe001c62192c0]<< sptd.sys storport.sys hal.dll storahci.sys ffffe001c62192c0
-
Hello again Tigzy! So uninstalled the Daemon Tools as you told me to, but after reboot these lines stayed. I ran gmer and noticed that sptd.sys was still running and sptd.sys is a part of Daemon Tools driver. So I ran the sptd installer and uninstalled it and rebooted once again. Now RogueKiller shows clean results! Since green results don't show in logs, I attached them in the picture below. Learn something every day! Thank you very much for pointing out the culprit, you've been of great help! One of the best antimalware engineers out there :)
(http://puu.sh/dBaEL/9c09b9fe52.png)
-
Ok, so it gives hints about the IRP hooks.
I'll have to find a way to detect sptd and whitelist it. Will work on it, thanks again!
-
Just to show you what's going on :)