Sign in to follow this  
wrolyat

The Aim Virus\Browser Hijacks

Recommended Posts

Let's take a look if something is still hiding there, because in 80 % of the cases, the malware bundle that was installed also comes with a rootkit..

 

So perform next..

 

* Download GMER from here:

http://www.gmer.net/gmer.zip

 

Unzip it and start GMER.exe

Click the rootkit-tab and click scan.

 

Once done, click the Copy button.

This will copy the results to clipboard.

Paste the results in your next reply.

Share this post


Link to post
Share on other sites

GMER 1.0.10.10111 - http://www.gmer.net

Rootkit 2006-06-06 14:45:20

Windows 5.1.2600 Service Pack 2

 

 

---- System - GMER 1.0.10 ----

 

SSDT SSI.SYS ZwCreateKey

SSDT SSI.SYS ZwCreateProcess

SSDT SSI.SYS ZwCreateProcessEx

SSDT SSI.SYS ZwDeleteKey

SSDT SSI.SYS ZwDeleteValueKey

SSDT SSI.SYS ZwRenameKey

SSDT SSI.SYS ZwSetInformationKey

SSDT SSI.SYS ZwSetValueKey

 

---- Devices - GMER 1.0.10 ----

 

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7C5785A] avgtdi.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7C5785A] avgtdi.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7C5785A] avgtdi.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7C5785A] avgtdi.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F7C5785A] avgtdi.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F768420C] SSI.SYS

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [F768420C] SSI.SYS

 

---- Processes - GMER 1.0.10 ----

 

Process hidden process (*** hidden *** ) 5624 <-- ROOTKIT !!!

Process hidden process (*** hidden *** ) 5720 <-- ROOTKIT !!!

Process hidden process (*** hidden *** ) 5864 <-- ROOTKIT !!!

 

---- EOF - GMER 1.0.10 ----

 

It had like 3 warning things popup about rootkit activity

Share this post


Link to post
Share on other sites

Hmm, it doesn't show exactly want I want to see - The rootkit alerts there *could be harmless, however, I doubt it. Also, these numbers doesn't show what it exactly is, because it doesn't show the related process attached, because it's hidden. Normally it should show though. So that's why it's better to be careful here and perform some additional searches with other rootkitrevealers afterwards.

Maybe they show us more.

 

But first I want you to try next:

Can you run GMER in safe mode as well? Then save the log in notepad and post it in your next reply. Maybe it will show the attached processname instead of only the Value.

Share this post


Link to post
Share on other sites

By the way - when you click the process tab (first tab), are these three processes also marked in red as you see here in next screenshot?

http://www.gmer.net/gmer.jpg

If so, can you tell me if there's a filename present there? As you can see in above screenshot? (it shows hxdef100.exe, rootkit.exe and _root_test.exe there. In your case it will be other filenames).

Please make sure you tell me the ones in red - no other ones.

It could ofcourse be possible that in your case - as I see in your log, that field is blank.

Share this post


Link to post
Share on other sites

Ok, that's what I thought.... and I don't like that because it doesn't show what related file is attached. Could be anything.

 

I want you to run some other rootkitrevealers as well, so I can compare..

 

Download and Save blacklight to your desktop.

F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Double-click blbeta.exe then accept the agreement.

click > scan then > next,

You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there...

There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

 

Please download Rootkit Revealer (link is at the very bottom of the page)

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here together with the log from blacklight.

Note.. these rootkitrevealers do NOT run in safe mode. So you have to perform those in normal mode.

Share this post


Link to post
Share on other sites

Hello,

 

I just contacted the developer of GMER for more explanation. He hasn't seen that either before and he wants you to do an additional scan again with GMER as well, but with some settings modified.

 

So, in GMER, click the rootkit tab > in the right column only select next:

  • Process
  • Libraries
  • Modules
  • Services

Then below, click Show all

This is how the settings should be selected:

http://users.telenet.be/bluepatchy/miekiem...images/gmer.jpg

Then click scan.

The log will be huge and looking different.

Click the Copy button and paste the results in notepad.

Zip the file and please email the file to:

 

miekiemoesATmalware-research.co.uk

 

remember to replace the AT in the above line with an @

(the reason to not post a complete valid e-mail address in a post is so spammers can't harvest the addresses)

 

Thanks.

Share this post


Link to post
Share on other sites

ZThor, can you please start with an own thread? Because posting in someone elses thread makes things very confusing. I am helping wrolyat in this thread. I really can't deal with more than one log in the same thread.

 

Thanks. :D

Share this post


Link to post
Share on other sites

06/06/06 21:30:59 [info]: BlackLight Engine 1.0.37 initialized

06/06/06 21:30:59 [info]: OS: 5.1 build 2600 (Service Pack 2)

06/06/06 21:31:00 [Note]: 7019 4

06/06/06 21:31:00 [Note]: 7005 0

06/06/06 21:31:24 [Note]: 7006 0

06/06/06 21:31:24 [Note]: 7011 2988

06/06/06 21:31:24 [Note]: 7026 0

06/06/06 21:31:24 [Note]: 7026 0

06/06/06 21:31:28 [Note]: FSRAW library version 1.7.1015

06/06/06 21:31:39 [Note]: 2000 1006

06/06/06 21:32:05 [Note]: 7007 0

 

The blacklight didn't really find any hidden processes it said. I figured there was no use in pasting the rootkit revealer because nothing was found :\ .

Share this post


Link to post
Share on other sites

Ok, did you get my mail?

In your log you send me, there were no hidden processes present.

Are you still getting the explorer crashes?

Share this post


Link to post
Share on other sites

I just got one while answering this post :) , kind of ironic. Anyway, I responded to your requests in your e-mail... I couldn't find ANY of the files (what I should say is that they just weren't there.)

Share this post


Link to post
Share on other sites
Sign in to follow this