Просмотр полной версии : Potential Rootkit, affects Gmer, RKR, HJT, IE, AVZ, RKhookAnalyzer...

16.02.2008, 03:13
I wasn't sure if I should post a new thread or post in the old one.

I have 2 computers on a home network. My dsl modem seems affected. I have it set to bridge mode, and in that mode the lights should not blink, they do. In bridge mode the router becomes the gateway to the inet.

After my previous posts, I wiped all infected computers, reinstalled OS's.
Reset the dsl modem, reconfigured, new account password. Reset the router, reconfigured. Reset router 2, reconfigured. After doing all this the modem wasn't acting right, was blinking and shouldn't.

I have wiped this computer a second time, a laptop. I wanted to put xp pro on it instead of vista. Could not install xp. Now I am back to vista.

I am having problems. I may have a rootkit. Kaspersky 7 shows nothing.
I was curious because of minor issues, so I used Rootkit Revealer. It acted weird. I get, Interactive Services Dialog Detection, the screen blanks out and the scan is performed in a different environment, finding 285,000+ discrepencies.
Gmer says there is an ntdll.dll issue.
Rootkit hook analyzer worked on initial install but subsequently does not work.
F-Secure blacklight used but found nothing.
Avz has some difficulties, but staes there is a problem.
HiJackThis will not save a log file.
Bat1 will not save a log file.

I used to use Netscape on the previous installs and on downloads, 7.5mb file in less than 1 second. I don't have a T1 and I don't have fios(fiber optic service). I can't explain 1200kb to 2000kb downloads unless I'm pipelined through somebody elses connection.

Is it possible that my ISP is the infection point or my account from the ISP?
Could the flash in my modem be infected? Would reseting it delete the infection?

I am just getting frustrated. No matter what I do or how often I wipe the problems return. On this latest install I have not used any outside media of old saved files. If I became infected it was because of the connection. If I stayed infected then it was embeded in the system.

16.02.2008, 03:30
Sorry I forgot to post the files.
Also, Hijackthis would not save a log file with either version. Sorry.

18.02.2008, 04:34
After doing all this the modem wasn't acting right, was blinking and shouldn't.
Are you sure that parameters for bridge mode are correct?
Wrong VPI/VCI will result in blinking of "CD" or "Act/DSL" LED and connection will not work.

18.02.2008, 05:34
I am 95% sure. I was not in a rush that day. I wiped all computers while disconnected. Called my ISP and informed them I had an infection and my email account may have been compromised. Asked to change the main password, not subs. Apparently, I must change the subs on my end.

I reset the modem and both routers.
After the computers were up, I reset the network. Starting from the modem, which needs an internet connection, I created the new profile. Input the temp password and account name. Logged on to the account and changed the password, 24hr life.
Logged onto the modem, changed the profile to match new password. I then set the VNC to Bridge mode from PPPoE, saved profile. Now there isn't supposed to be an internet connection, but I was able to surf. I have configured the modem at least 10 times and that never happened. I reset the modem again and went through the process. Same result. I was able to surf the web after turning on bridge mode. You shouldn't have web access in bridge mode unless using the router, which was not connected or configured yet.
In previous issues, a couple of years ago, my ISP account had been switched with someone elses when I tried to sign on. The weather was set for silicon valley. The name on the account was John.
It's this same weird stuff happening. Only now, it's affecting the hardware. And fast.

I am at a loss to understand what to do or how to fix. It is over my head. Way over my head. Within moments of reconnecting I get compromised. That is why I feel it is occurring in or through my ISP.

Wiping hasn't solved anything.

I logged out of this site last night and shut down. When I turned on today, I get a message when I open IE, Toshiba Flashcard....-choice-Close Program Now-only available choice. Typed eng.virusinfo.info into address bar, I am still logged into the web page. On which I am now posting this.

Weird and above my head.

22.02.2008, 04:28
Have I stepped on some toes that are connected to a doopa I must kiss? :kiss2:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll" ["Kaspersky Lab"]

Is this from Kaspersky or is it suspicious?

22.02.2008, 21:06
File is being saved in a funny location.
AppData/Local/VirtualStore/Program files/HJT/
I thought it was supposed to be saved in the program files/HJT folder.

23.02.2008, 20:41
What I have come to realize is you guys are tops in your fields.
I am glad that you offer insight and help to people like myself.
I understand that this is a war and I am caught in the middle, so to speak. I don't like being the middleman in this scenario.

You guys are on the creative edge of college and I am still mucking about in elementary school.

Also, I may be a quarter bubble off level, but that is nothing a shim can't take care of. :crazy:

I posted this attachment because AVZ for some reason does not always show the ntdll.dll hook/hijack. Not sure why. I may run a scan once a day or every other, sometimes it shows, sometimes not.
I ran Process Monitor, and it shows "service" opening every reg key, open,enum,close, on occasion create. It also did it with every file. I saved a snippet.
And the book is going well.