Rootkit using NtCreatekey then NTEnumeratekey, etc

delphi package - easy access to security apis

Rootkit using NtCreatekey then NTEnumeratekey, etc

Postby pedwards » Tue Feb 12, 2008 8:51 am

Hi, newbie here, be gentle.:~
I suspected I have a rootkit installed and found icesword by http://www.antirootkit.com/software/IceSword.htm.
When I ran it I see in the system service descriptor window the Kmodule load paths are all from /Windows/System32, except one item.
The item renames itself from boot to boot, and today it is calling itself spgl.sys. Strange the module has no path. Yesterday it was calling itself spid.sys. Today it's called spgl.sys.
Each version hooks into NtCreate, then NtEnumaerate, then NtEnumerateValueKey, then NtOpenKey, NtQueryKey, NtQueryValueKey,
NtSetValueKey.

There appears to be a slowdown on the system, and sometimes large transfers of data that do not correspond to user requests.
Any ideas on how to flush out the culprets.

I also found a large number of ADS stream files on the system, mainly attached to images, and of varying file lengths. The content is mostly binary, so no way to easily determine what it is.
Used Adsspy by merijn to get them off. Nice product that. must send him a buck.

Gotto give up and go sleep now.
Will replace mbr tomorrow and soldier on.
Any ideas anyone?
pedwards
 
Posts: 1
Joined: Tue Feb 12, 2008 8:33 am

Postby pdelatullaye » Thu Feb 21, 2008 9:58 am

Hello,

I have discovered the same symptom on my PC, and i'm still investigating !
pdelatullaye
 
Posts: 2
Joined: Thu Feb 21, 2008 9:46 am

Postby pdelatullaye » Thu Feb 21, 2008 1:02 pm

Hello,

DO you have a driver called sptd.sys it come with software like DAEMON tools ?
pdelatullaye
 
Posts: 2
Joined: Thu Feb 21, 2008 9:46 am

Postby madshi » Mon Feb 25, 2008 6:39 pm

Hey guys,

you have my honest condolences for having trouble with malware. But I'm just wondering what this has to do with me respectively with this forum? Not trying to chase you away. You may continue to post in this thread about your trouble. I'm just wondering if there's anything you expect me to do as the site admin here?
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm


Return to madSecurity

Who is online

Users browsing this forum: No registered users and 2 guests