Rootkit using NtCreatekey then NTEnumeratekey, etc

delphi package - easy access to security apis
Post Reply
pedwards
Posts: 1
Joined: Tue Feb 12, 2008 8:33 am

Rootkit using NtCreatekey then NTEnumeratekey, etc

Post by pedwards »

Hi, newbie here, be gentle.:~
I suspected I have a rootkit installed and found icesword by http://www.antirootkit.com/software/IceSword.htm.
When I ran it I see in the system service descriptor window the Kmodule load paths are all from /Windows/System32, except one item.
The item renames itself from boot to boot, and today it is calling itself spgl.sys. Strange the module has no path. Yesterday it was calling itself spid.sys. Today it's called spgl.sys.
Each version hooks into NtCreate, then NtEnumaerate, then NtEnumerateValueKey, then NtOpenKey, NtQueryKey, NtQueryValueKey,
NtSetValueKey.

There appears to be a slowdown on the system, and sometimes large transfers of data that do not correspond to user requests.
Any ideas on how to flush out the culprets.

I also found a large number of ADS stream files on the system, mainly attached to images, and of varying file lengths. The content is mostly binary, so no way to easily determine what it is.
Used Adsspy by merijn to get them off. Nice product that. must send him a buck.

Gotto give up and go sleep now.
Will replace mbr tomorrow and soldier on.
Any ideas anyone?
pdelatullaye
Posts: 2
Joined: Thu Feb 21, 2008 9:46 am

Post by pdelatullaye »

Hello,

I have discovered the same symptom on my PC, and i'm still investigating !
pdelatullaye
Posts: 2
Joined: Thu Feb 21, 2008 9:46 am

Post by pdelatullaye »

Hello,

DO you have a driver called sptd.sys it come with software like DAEMON tools ?
madshi
Site Admin
Posts: 10527
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Hey guys,

you have my honest condolences for having trouble with malware. But I'm just wondering what this has to do with me respectively with this forum? Not trying to chase you away. You may continue to post in this thread about your trouble. I'm just wondering if there's anything you expect me to do as the site admin here?
Post Reply