A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9663  by erikloman
 Fri Nov 11, 2011 9:22 pm
HackJack wrote:Hitman Pro did not detect it, aswmbr and tdskiller did not run
HitmanPro is unable to use its driver because the rootkit is messing with the symbolic links (I guess). Thats why its not detecting this variant (HitmanPro falls back on a compatible scan instead of using its driver). I seek confirmation on the symbolic link blocker.
 #9664  by HackJack
 Fri Nov 11, 2011 9:42 pm
erikloman wrote:
HackJack wrote:Hitman Pro did not detect it, aswmbr and tdskiller did not run
HitmanPro is unable to use its driver because the rootkit is messing with the symbolic links (I guess). Thats why its not detecting this variant (HitmanPro falls back on a compatible scan instead of using its driver). I seek confirmation on the symbolic link blocker.


HitmanPro falls back on a compatible scan instead of using its driver - how should i check this
 #9665  by erikloman
 Fri Nov 11, 2011 9:54 pm
HackJack wrote:HitmanPro falls back on a compatible scan instead of using its driver - how should i check this
You can't. But rest assured it is. See also Advanced tab under Settings where you can switch manually. Internally if Direct Disk Access fails (due to driver problem) it reverts to the Compatible mode. But this mode cant find Rootkits for obvious reasons.
 #9668  by EP_X0FF
 Sat Nov 12, 2011 1:55 am
Hello,

Log likely confirm infection.

1. Do complete McAfee uninstall because it produces 3rd party rootkit effects and rescan.
2. Attach new log and screenshot of RkU->Tools->Kernel Callbacks Routines dialog.
3. If possible dump all physical memory and attach somewhere where we can access to inspect it.
 #9669  by HackJack
 Sat Nov 12, 2011 2:51 am
please find the new Rootkit Unhooker log after uninstalling McAfee and Hitman pro

i have attached the screenshoot for Kernal callback dialog box
Attachments
kernel callbacks.JPG
Kernal callback jpg
kernel callbacks.JPG (103.03 KiB) Viewed 376 times
log RKU
(28 KiB) Downloaded 29 times
 #9670  by EP_X0FF
 Sat Nov 12, 2011 2:54 am
Ok.

Delete callbacks for CreateProcess ?_empty_?, LoadImage unknown_notify_handler and try again other tools such as Hitman.
 #9671  by HackJack
 Sat Nov 12, 2011 3:09 am
Great it worked, Hitman pro fixed the MBR now !!!!!!!!!

can you please share the manual troubleshooting steps
Attachments
hitman pro.JPG
Hitman Pro
hitman pro.JPG (68.63 KiB) Viewed 374 times
 #9672  by EP_X0FF
 Sat Nov 12, 2011 3:20 am
If possible can you please upload something detected as Trojan here in password-protected archive before removing it with Hitman? Thanks.