[DONE]NDMONPROTO hidden service
CastleCops
-> Rootkit Revelations
Author: esource,
Posted: Sun Jun 29, 2008 5:20 pm Post subject: NDMONPROTO hidden service
Rootkit Revealer just indicated a whole set of registry entries with embedded nulls: HKLMSystem\ControlSet001\Services\NDMONPROTO. These would not respond to SysInternal's RefDelNull, nor could I delete them with Regedit. On checking with Gmer, it indicates a hidden service and possible rootkit. Using SDFix and ComboFix did not effect the registry entries/Gmer result.
Any thoughts on eradicating this? CastleCops has the only internet search result for NDMONPROTO - unfortunately, not successfully solved that time (April/May 0
!
esource
Author: esource,
Posted: Sun Jun 29, 2008 5:28 pm Post subject:
Ooops! I should have added this is a Dell Dimension 8200 running w2k.
esource
Author: negster22,
Posted: Tue Jul 01, 2008 3:24 am Post subject:
Hi esource,
Sorry to hear you have a cause for concern.
Can you post your RKR and Gmer logs please.
Why did you decide to do rootkit scans - as part of a routine checkup or are you experiencing infection symptoms? If the latter is the case, when did the symptoms begin, and please elaborate on what they are.
Out of curiosity because you are running Win 2K - are you thinking of upgrading your OS or getting a new PC in the near future? Do you have both a floppy drive and a CD/RW drive on the PC you posted about?
Author: IP: 64.229.*.*,
Posted: Tue Jul 01, 2008 12:36 pm Post subject:
Hi Negster
Logs (Gmer short and long) posted below.
No infection symptoms, just a continual process of checking.
A new laptop running XP is arriving this week - however, the PC and old laptop still run W2k.
The old laptop has a floppy drive and a CD drive - reader but not writer.
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-07-01 08:03:53
Windows 5.0.2195 Service Pack 4
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Services - GMER 1.0.14 ----
Service (*** hidden *** ) NDMONPROTO <-- ROOTKIT !!!
---- EOF - GMER 1.0.14 ----
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-07-01 08:16:42
Windows 5.0.2195 Service Pack 4
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB9FB71C2] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xBE7C7040] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB9FB70AE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB9FB6184] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xBE6BB444] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xBE7C7510] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xBE7CD870] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xBE7D0FD0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xBE7C7600] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xBE7C3F20] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xBE7CF6E0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xBE6BB922] <-- ROOTKIT !!!
SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xBFE8BB23] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xBE7CD580] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xBE7CF8B0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB9FB66AA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xBE6BB51E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xBE7CD350] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xBE7CD150] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xBE6BB63E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xBE7CFCB0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xBE7C6C00] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xBE6BB5FE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xBE7C7220] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB9FB6ED8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xBE6BB77E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xBE7CDCD0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB9FB6E10] <-- ROOTKIT !!!
---- Kernel code sections - GMER 1.0.14 ----
? srescan.sys The system cannot find the file specified. !
? C:\WINNT\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE8B6E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE8BA5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BFE8BA33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BFE8B979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BFE8B48A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE8B6E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE8BA5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE8BA5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE8B6E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE8B6E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE8BA5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BE7CBCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BE7CBE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BE7CC1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BE7CC320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BE7CBCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BE7CC1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BE7CC320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BE7CBE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BE7CBCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BE7CC320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BE7CC1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\nbf.sys[NDIS.SYS!NdisCloseAdapter] [BE7CC320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\nbf.sys[NDIS.SYS!NdisOpenAdapter] [BE7CC1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\nbf.sys[NDIS.SYS!NdisDeregisterProtocol] [BE7CBE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\nbf.sys[NDIS.SYS!NdisRegisterProtocol] [BE7CBCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [BE7D9330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [BE7C4670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [BE7C45C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [BE7C4770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [BE7C42D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINNT\system32\services.exe[272] @ C:\WINNT\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINNT\system32\services.exe[272] @ C:\WINNT\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.14 ----
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Services - GMER 1.0.14 ----
Service (*** hidden *** ) NDMONPROTO <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior
---- EOF - GMER 1.0.14 ----
HKU\.DEFAULT\Control Panel\International 6/29/2008 12:56 PM 0 bytes Security mismatch.
HKU\S-1-5-21-220523388-152049171-854245398-500\Control Panel\International 6/29/2008 12:56 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 6/19/2001 2:20 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/19/2001 2:20 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 1/25/2002 11:37 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:357dc05e-8931-4467-96e8-dee3da5e4ed3* 1/20/2002 4:49 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 7/30/2006 5:18 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 6/19/2006 7:28 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 6/24/2006 8:11 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 6/18/2006 11:14 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 7/25/2006 5:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 8/2/2006 9:06 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 8/12/2007 8:09 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 12/25/2005 6:17 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 5/1/2006 8:03 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 11/7/2005 8:51 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 9/8/2005 9:23 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 5/19/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 7/19/2004 7:01 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 9/23/2004 7:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 9/15/2005 8:07 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 11/15/2004 5:00 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 10/18/2005 6:28 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 10/14/2007 10:33 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 11/15/2004 6:43 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 11/6/2007 6:03 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 12/27/2007 8:09 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 12/3/2004 11:44 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 10/20/2005 1:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 10/27/2005 5:20 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 12/15/2005 3:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 5/22/2005 11:08 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 5/2/2006 12:03 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 9/20/2007 9:20 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 5/25/2007 3:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 12/23/2007 9:59 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 6/29/2008 12:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 7/30/2004 10:14 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 4/27/2005 7:26 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 6/28/2008 3:05 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 5/14/2007 8:54 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 10/2/2004 8:45 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 10/2/2007 11:04 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 12/21/2007 5:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 5/25/2007 12:12 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 9/28/2006 8:30 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 10/27/2005 5:28 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 4/14/2005 10:06 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 9/10/2006 10:01 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\NDMONPROTO* 8/2/2006 11:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 7/30/2006 5:18 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 6/19/2006 7:28 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 6/24/2006 8:11 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 6/18/2006 11:14 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 7/25/2006 5:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 8/2/2006 9:06 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 8/12/2007 8:09 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 12/25/2005 6:17 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 5/1/2006 8:03 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 11/7/2005 8:51 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 9/8/2005 9:23 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 5/19/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 7/19/2004 7:01 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 9/23/2004 7:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 9/15/2005 8:07 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 11/15/2004 5:00 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 10/18/2005 6:28 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 10/14/2007 10:33 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 11/15/2004 6:43 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 11/6/2007 6:03 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 12/27/2007 8:09 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 12/3/2004 11:44 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 10/20/2005 1:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 10/27/2005 5:20 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 12/15/2005 3:32 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 5/22/2005 11:08 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 5/2/2006 12:03 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 9/20/2007 9:20 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 5/25/2007 3:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 12/23/2007 9:59 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 6/29/2008 12:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 7/30/2004 10:14 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 4/27/2005 7:26 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 6/28/2008 3:05 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 5/14/2007 8:54 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 10/2/2004 8:45 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 10/2/2007 11:04 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 12/21/2007 5:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 5/25/2007 12:12 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 9/28/2006 8:30 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 10/27/2005 5:28 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 4/14/2005 10:06 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 9/10/2006 10:01 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO* 8/2/2006 11:32 PM 0 bytes Key name contains embedded nulls (*)
Author: IP: 64.229.*.*,
Posted: Tue Jul 01, 2008 3:28 pm Post subject:
Got confused - working on two problems at the same time! The PC has a floppy drive and a CD R/W drive.
esource
Author: negster22,
Posted: Wed Jul 02, 2008 1:57 am Post subject:
Hi esource,
The hidden service NDMONPROTO is one we have seen before on a PC infected with the MBR rootkit on a Win 2K system, as you know.
This line in your Gmer log:
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior
Signifies MBR modification of the partition boot sector. That can be caused by a rootkit, and in your case the hidden service points to that as the probable cause.
We can try to clean you up or you may want to just wait until your new XP PC comes in a week and migrate to that.
Let me know what you prefer to do.
Author: esource,
Posted: Wed Jul 02, 2008 1:07 pm Post subject:
I have now decided that I'll just wait to get the new XP PC and do'nt feel too comfortable using a PC that has had a rootkit infection - even if we managed to clean it up.
Tx for your help/confirmation
esource
Author: negster22,
Posted: Wed Jul 02, 2008 2:20 pm Post subject:
You're welcome, esource. I support your decision. Enjoy your new computer when it arrives!
CastleCops
-> Rootkit Revelations
All times are GMT
Page 1 of 1
Powered by phpBB © 2001 phpBB Group