CastleCops® NDMONPROTO hidden service

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

[DONE]NDMONPROTO hidden service

All -> FavForums -> Rootkit Revelations

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

esource

Trooper
Trooper

Joined: Jun 29, 2008
Posts: 21

Posted: Sun Jun 29, 2008 5:20 pm Post subject: NDMONPROTO hidden service

Rootkit Revealer just indicated a whole set of registry entries with embedded nulls: HKLMSystem\ControlSet001\Services\NDMONPROTO. These would not respond to SysInternal's RefDelNull, nor could I delete them with Regedit. On checking with Gmer, it indicates a hidden service and possible rootkit. Using SDFix and ComboFix did not effect the registry entries/Gmer result. Any thoughts on eradicating this? CastleCops has the only internet search result for NDMONPROTO - unfortunately, not successfully solved that time (April/May 0! esource

esource

Trooper
Trooper

Joined: Jun 29, 2008
Posts: 21

Posted: Sun Jun 29, 2008 5:28 pm Post subject:

Ooops! I should have added this is a Dell Dimension 8200 running w2k. esource

negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5274

Posted: Tue Jul 01, 2008 3:24 am Post subject:

Hi esource, Sorry to hear you have a cause for concern. Can you post your RKR and Gmer logs please. Why did you decide to do rootkit scans - as part of a routine checkup or are you experiencing infection symptoms? If the latter is the case, when did the symptoms begin, and please elaborate on what they are. Out of curiosity because you are running Win 2K - are you thinking of upgrading your OS or getting a new PC in the near future? Do you have both a floppy drive and a CD/RW drive on the PC you posted about? _________________ Negster22 - MS MVP - Consumer Security 2006-2008

IP: 64.229.*.*

Guest

IP: 64.229.*.*

Guest

Posted: Tue Jul 01, 2008 3:28 pm Post subject:

Got confused - working on two problems at the same time! The PC has a floppy drive and a CD R/W drive. esource

negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5274

Posted: Wed Jul 02, 2008 1:57 am Post subject:

Hi esource, The hidden service NDMONPROTO is one we have seen before on a PC infected with the MBR rootkit on a Win 2K system, as you know. This line in your Gmer log: Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior Signifies MBR modification of the partition boot sector. That can be caused by a rootkit, and in your case the hidden service points to that as the probable cause. We can try to clean you up or you may want to just wait until your new XP PC comes in a week and migrate to that. Let me know what you prefer to do. _________________ Negster22 - MS MVP - Consumer Security 2006-2008

esource

Trooper
Trooper

Joined: Jun 29, 2008
Posts: 21

Posted: Wed Jul 02, 2008 1:07 pm Post subject:

I have now decided that I'll just wait to get the new XP PC and do'nt feel too comfortable using a PC that has had a rootkit infection - even if we managed to clean it up. Tx for your help/confirmation esource

negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5274

Posted: Wed Jul 02, 2008 2:20 pm Post subject:

You're welcome, esource. I support your decision. Enjoy your new computer when it arrives! _________________ Negster22 - MS MVP - Consumer Security 2006-2008

	All -> FavForums -> Rootkit Revelations	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 142ppm 0.541s (0.109s) Making cybercriminals unhappy since 2002*