Page 1 of 1

Rootkit using NtCreatekey then NTEnumeratekey, etc

PostPosted: Tue Feb 12, 2008 8:51 am
by pedwards
Hi, newbie here, be gentle.:~
I suspected I have a rootkit installed and found icesword by http://www.antirootkit.com/software/IceSword.htm.
When I ran it I see in the system service descriptor window the Kmodule load paths are all from /Windows/System32, except one item.
The item renames itself from boot to boot, and today it is calling itself spgl.sys. Strange the module has no path. Yesterday it was calling itself spid.sys. Today it's called spgl.sys.
Each version hooks into NtCreate, then NtEnumaerate, then NtEnumerateValueKey, then NtOpenKey, NtQueryKey, NtQueryValueKey,
NtSetValueKey.

There appears to be a slowdown on the system, and sometimes large transfers of data that do not correspond to user requests.
Any ideas on how to flush out the culprets.

I also found a large number of ADS stream files on the system, mainly attached to images, and of varying file lengths. The content is mostly binary, so no way to easily determine what it is.
Used Adsspy by merijn to get them off. Nice product that. must send him a buck.

Gotto give up and go sleep now.
Will replace mbr tomorrow and soldier on.
Any ideas anyone?

PostPosted: Thu Feb 21, 2008 9:58 am
by pdelatullaye
Hello,

I have discovered the same symptom on my PC, and i'm still investigating !

PostPosted: Thu Feb 21, 2008 1:02 pm
by pdelatullaye
Hello,

DO you have a driver called sptd.sys it come with software like DAEMON tools ?

PostPosted: Mon Feb 25, 2008 6:39 pm
by madshi
Hey guys,

you have my honest condolences for having trouble with malware. But I'm just wondering what this has to do with me respectively with this forum? Not trying to chase you away. You may continue to post in this thread about your trouble. I'm just wondering if there's anything you expect me to do as the site admin here?