Author Topic: IRP.Hook Rootkit in my System 32 Folder (Read 5947 times)

Limrex · « **on:** November 22, 2014, 10:37:16 PM »

First of all I'd like to thank whoever made RogueKiller, it's literally the only software I have that's capable of detecting rookits/trojans, McAfee and MalwareBytes have both failed.

The first time I noticed something was wrong was when I connected to the internet (possibly a week ago) and noticed that my bandwidth was being sucked up by the Svchost.exe application, I found that it was BITS Netsvcs and had been manually stopping the process in Windows Task Manager in order to stop it draining my internet, literally I left my computer for 5 minutes and it had downloaded 700MB.

I ran RogueKiller again and it found an IRP.Hook rootkit in \SystemRoot\System32\drivers\i8042prt.sys & C:\windows\system32\DRIVERS\ETD.sys

I wanted to know if RogueKiller could actually remove the what it finds or if it just detects them. It's got to the point where I can't connect to the internet on my main computer so I'm using an old laptop, nothing else has been affected though. I've tried looking at the page RogueKiller brings up after the scan but I can't understand a single word of it, could someone explain it to me in the simplest terms of how to remove whatever I've got.

Could I use CCleaner to get rid of the registry stuff?

Could anyone point me to someone that could remove it? I just want to be back to normal, my log from RogueKiller is below:

RogueKiller V10.0.6.0 (x64) [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Limrex [Administrator]
Mode : Scan -- Date : 11/22/2014 14:27:39

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B63BEBEE-8DE8-465A-84A7-F36896D71AA2} | DhcpNameServer : 10.16.34.51 10.16.34.52 8.8.8.8 -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B63BEBEE-8DE8-465A-84A7-F36896D71AA2} | DhcpNameServer : 10.16.34.51 10.16.34.52 8.8.8.8 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 92 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\i8042prt.sys - IRP_MJ_READ[3] : C:\windows\system32\DRIVERS\ETD.sys @ 0x561c4a0
[IAT:Inl] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x7fa0e6301f0 (jmp 0xffffffff801cbdff)
[IAT:Inl] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtAssignProcessToJobObject : Unknown @ 0x7fa0e6303a0 (jmp 0xffffffff801ccf3f)
[IAT:Inl] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtCreateEvent : Unknown @ 0x7fa0e6302d0 (jmp 0xffffffff801cd2b0)
[IAT:Inl] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtCreateSection : Unknown @ 0x7fa0e630310 (jmp 0xffffffff801cd2d0)
[IAT:Inl] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtSetSystemInformation : Unknown @ 0x7fa0e6301f0 (jmp 0xffffffff801cbdff)
[IAT:Inl] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x7fa0e6302d0 (jmp 0xffffffff801cd2b0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenMutant : Unknown @ 0x7fa0e6302a0 (jmp 0xffffffff801cc65f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSection : Unknown @ 0x7fa0e630310 (jmp 0xffffffff801cd2d0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtNotifyChangeKey : Unknown @ 0x7fa0e630490 (jmp 0xffffffff801cc8ff)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x7fa0e6301f0 (jmp 0xffffffff801cbdff)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x7fa0e630390 (jmp 0xffffffff801cd430)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSemaphore : Unknown @ 0x7fa0e6302b0 (jmp 0xffffffff801ccc1f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSemaphore : Unknown @ 0x7fa0e6302c0 (jmp 0xffffffff801cc62f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateMutant : Unknown @ 0x7fa0e630290 (jmp 0xffffffff801ccc8f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateTimer : Unknown @ 0x7fa0e630330 (jmp 0xffffffff801ccc6f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenTimer : Unknown @ 0x7fa0e630340 (jmp 0xffffffff801cc66f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x7fa0e630370 (jmp 0xffffffff801cd570)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSection : Unknown @ 0x7fa0e630320 (jmp 0xffffffff801cd410)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateIoCompletion : Unknown @ 0x7fa0e630350 (jmp 0xffffffff801ccdbf)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x7fa0e6303b0 (jmp 0xffffffff801cd470)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateThreadEx : Unknown @ 0x7fa0e6303d0 (jmp 0xffffffff801ccd1f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x7fa0e6303f0 (jmp 0xffffffff801cd320)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenThread : Unknown @ 0x7fa0e630380 (jmp 0xffffffff801cc6bf)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSuspendThread : Unknown @ 0x7fa0e630430 (jmp 0xffffffff801cbf3f)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSetContextThread : Unknown @ 0x7fa0e630400 (jmp 0xffffffff801cc1ef)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtNotifyChangeMultipleKeys : Unknown @ 0x7fa0e6304a0 (jmp 0xffffffff801cc8ff)
[IAT:Inl] (explorer.exe @ combase.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ combase.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ combase.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x7fa0e630390 (jmp 0xffffffff801cd430)
[IAT:Inl] (explorer.exe @ powrprof.dll) ntdll.dll - ZwAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ advapi32.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x7fa0e6301f0 (jmp 0xffffffff801cbdff)
[IAT:Inl] (explorer.exe @ advapi32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ USER32.dll) ntdll.dll - NtVdmControl : Unknown @ 0x7fa0e630280 (jmp 0xffffffff801cbc6f)
[IAT:Inl] (explorer.exe @ GDI32.dll) ntdll.dll - NtCreateSection : Unknown @ 0x7fa0e630310 (jmp 0xffffffff801cd2d0)
[IAT:Inl] (explorer.exe @ GDI32.dll) ntdll.dll - NtVdmControl : Unknown @ 0x7fa0e630280 (jmp 0xffffffff801cbc6f)
[IAT:Inl] (explorer.exe @ UxTheme.dll) ntdll.dll - NtCreateSection : Unknown @ 0x7fa0e630310 (jmp 0xffffffff801cd2d0)
[IAT:Inl] (explorer.exe @ UxTheme.dll) ntdll.dll - NtOpenSection : Unknown @ 0x7fa0e630320 (jmp 0xffffffff801cd410)
[IAT:Inl] (explorer.exe @ dwmapi.dll) ntdll.dll - NtCreateSection : Unknown @ 0x7fa0e630310 (jmp 0xffffffff801cd2d0)
[IAT:Inl] (explorer.exe @ SspiCli.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ SspiCli.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x7fa0e630390 (jmp 0xffffffff801cd430)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtCreateSection : Unknown @ 0x7fa0e630310 (jmp 0xffffffff801cd2d0)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtQueueApcThreadEx : Unknown @ 0x7fa0e630440 (jmp 0xffffffff801cc45f)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ sechost.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ MSCTF.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ bcryptPrimitives.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ clbcatq.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ WINSTA.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x7fa0e630370 (jmp 0xffffffff801cd570)
[IAT:Inl] (explorer.exe @ WINSTA.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ CRYPTSP.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ rsaenh.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtCreateSection : Unknown @ 0x7fa0e630310 (jmp 0xffffffff801cd2d0)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ twinui.dll) ntdll.dll - ZwAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ CRYPT32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ wpncore.dll) ntdll.dll - ZwAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ dwrite.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ SETUPAPI.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ bcrypt.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ ncrypt.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ Secur32.dll) ntdll.dll - NtOpenSection : Unknown @ 0x7fa0e630320 (jmp 0xffffffff801cd410)
[IAT:Inl] (explorer.exe @ authui.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x7fa0e6301f0 (jmp 0xffffffff801cbdff)
[IAT:Inl] (explorer.exe @ authui.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x7fa0e630370 (jmp 0xffffffff801cd570)
[IAT:Inl] (explorer.exe @ es.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ AUDIOSES.DLL) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ NSI.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ WS2_32.dll) ntdll.dll - NtLoadDriver : Unknown @ 0x7fa0e6301e0 (jmp 0xffffffff801cc73f)
[IAT:Inl] (explorer.exe @ CSCAPI.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x7fa0e6302d0 (jmp 0xffffffff801cd2b0)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenTimer : Unknown @ 0x7fa0e630340 (jmp 0xffffffff801cc66f)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenThread : Unknown @ 0x7fa0e630380 (jmp 0xffffffff801cc6bf)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenSemaphore : Unknown @ 0x7fa0e6302c0 (jmp 0xffffffff801cc62f)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenSection : Unknown @ 0x7fa0e630320 (jmp 0xffffffff801cd410)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x7fa0e630370 (jmp 0xffffffff801cd570)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenMutant : Unknown @ 0x7fa0e6302a0 (jmp 0xffffffff801cc65f)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenEventPair : Unknown @ 0x7fa0e630300 (jmp 0xffffffff801cc72f)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7fa0e630450 (jmp 0xffffffff801cd7b0)
[IAT:Inl] (explorer.exe @ WINMM.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x7fa0e6302d0 (jmp 0xffffffff801cd2b0)
[IAT:Inl] (explorer.exe @ WINMM.dll) ntdll.dll - NtCreateTimer : Unknown @ 0x7fa0e630330 (jmp 0xffffffff801ccc6f)
[IAT:Inl] (explorer.exe @ AVRT.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ AVRT.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)
[IAT:Inl] (explorer.exe @ AVRT.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x7fa0e6302d0 (jmp 0xffffffff801cd2b0)
[IAT:Inl] (explorer.exe @ AVRT.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x7fa0e6303e0 (jmp 0xffffffff801cd580)
[IAT:Inl] (explorer.exe @ wer.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7fa0e6302e0 (jmp 0xffffffff801cd340)
[IAT:Inl] (explorer.exe @ wer.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x7fa0e630480 (jmp 0xffffffff801cd04f)

¤¤¤ Web browsers : 2 ¤¤¤
[PUP][FIREFX:Addon] axihctc6.default : Ant Video Downloader [anttoolbar@ant.com] -> Found
[PUM.HomePage][FIREFX:Config] axihctc6.default : user_pref("browser.startup.homepage", "http://www.youtube.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 15791ebe232be04b39dd35b0f361680e
[BSP] 1807173ac8d941e91f4b2e88433a9f4f : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ZTE MMC Storage USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_DEL_11152014_000723.log - RKreport_SCN_11142014_234647.log - RKreport_SCN_11152014_001631.log - RKreport_SCN_11152014_143952.log
RKreport_SCN_11192014_180124.log - RKreport_SCN_11192014_195927.log

Tigzy · « **Reply #1 on:** November 24, 2014, 09:40:18 AM »

Hello
There's some shellcode layer that RogueKiller can't detect (you know inline hooks are usually jumping directly to hook DLL, but sometimes it's jumping to another memory location, then jumping to another one, and then jumping to the module).

To improve RogueKiller, could you make a dump of explorer.exe process with Process Hacker, upload it on Google Drive/Dropbox and give the link?

Author Topic: IRP.Hook Rootkit in my System 32 Folder (Read 5947 times)

Limrex

IRP.Hook Rootkit in my System 32 Folder

Tigzy

Re: IRP.Hook Rootkit in my System 32 Folder