Michaelgoff79
asked on
Root Kit on Domain Controller
I would like to know if these results can allows us to safely conclude that the server has a rootkit, and whether or not there is a way to determine how it got there, how much access the rootkit allows for, and whether or not there is a way to tell if any of the data has been compromised. Real VNC has been on the server since 2004 and no one ever updated the software, there have been hundreds of people trying to log in to it from all over and I know that there are some exploits for older versions. Also I know that the server has not been patched for well over 2 years. The guy that took care of the IT at this company was mostly here for desktop support. Also I would like to know about our legal obligations to inform customers of these findings. The first scan is from Virginity verifier, root kit revealer results are in an attached file. gmer results are also in an attached file. Super anti spyware found Worm.evilbot-B,
Any help that you may provide will be greatly appreciated!!!
verifying module: [ ntoskrnl.exe] 0%... -
verifying module: [ ftdisk.sys] 9%... -
verifying module: [ disk.sys] 17%... -
verifying module: [ Ntfs.sys] 20%... \
verifying module: [ NDIS.sys] 21%... |
verifying module: [ TDI.SYS] 41%... /
verifying module: [ tcpip.sys] 62%... \
verifying module: [ afd.sys] 65%... \
verifying module: [ ntdll.dll] 92%... -
verifying module: [ kernel32.dll] 93%... \
verifying module: [ ADVAPI32.dll] 95%... \
verifying module: [ PSAPI.DLL] 97%... /
verifying module: [ WS2_32.dll] 97%... -
verifying module: [ USER32.dll] 99%... |
ntoskrnl.exe (80800000 - 80a75000)... suspected! (verdict = 5).
module ntoskrnl.exe [0x80800000 - 0x80a75000]:
0x80834d38 (section .text) 5 byte(s):
JMPing code (jmp to: 0xf71d8bab)
address 0xf71d8bab is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
target module path: SysPlant.sys
file :2b e1 c1 e9 02
memory :e9 73 3e 9a 76
verdict = 2
0x80834e4c (section .text) 1 byte(s): exclusion filter: KiSystemCallExitBranch() [05->06]
file :05
memory :06
verdict = 1
0x8083ab62 (section .text) 18 byte(s): exclusion filter: KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1
0x8083ab7a (section .text) 1 byte(s): exclusion filter: KeFlushCurrentTb() [c3->00]
file :c3
memory :00
verdict = 1
0x8083b0e7 (section .text) [RtlPrefetchMemoryNonTempo
file :c3
memory :90
verdict = 1
0x8083fcb0 [KiServiceTable[13]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d648 DOES NOT belong to ANY MODULE!
file :78 3f 9a 80
memory :48 d6 86 8a
verdict = 5
0x8083fcb4 [KiServiceTable[14]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a8266a0 DOES NOT belong to ANY MODULE!
file :2d 93 91 80
memory :a0 66 82 8a
verdict = 5
0x8083fcc4 [KiServiceTable[18]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7c4468 DOES NOT belong to ANY MODULE!
file :2b 2d 85 80
memory :68 44 7c 8a
verdict = 5
0x8083fce8 [KiServiceTable[27]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d818 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :ce ae 92 80
memory :18 d8 44 f7
verdict = 2
0x8083fd28 [KiServiceTable[43]] 4 byte(s):
KiServiceTable HOOK:
address 0xb9e6d330 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
target module path: \??\C:\WINDOWS\system32\Dr
file :9f f6 93 80
memory :30 d3 e6 b9
verdict = 2
0x8083fd30 [KiServiceTable[45]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d3f8 DOES NOT belong to ANY MODULE!
file :50 1b 94 80
memory :f8 d3 86 8a
verdict = 5
0x8083fd38 [KiServiceTable[47]] 4 byte(s):
KiServiceTable HOOK:
address 0xf7441a20 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :73 c6 8c 80
memory :20 1a 44 f7
verdict = 2
0x8083fd58 [KiServiceTable[55]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7e6648 DOES NOT belong to ANY MODULE!
file :51 58 91 80
memory :48 66 7e 8a
verdict = 5
0x8083fda8 [KiServiceTable[75]] 4 byte(s):
KiServiceTable HOOK:
address 0xf74422a8 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :5d fc 93 80
memory :a8 22 44 f7
verdict = 2
0x8083fdb0 [KiServiceTable[77]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d910 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :20 00 94 80
memory :10 d9 44 f7
verdict = 2
0x8083fdd8 [KiServiceTable[87]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a824af0 DOES NOT belong to ANY MODULE!
file :10 41 85 80
memory :f0 4a 82 8a
verdict = 5
0x8083fdf0 [KiServiceTable[93]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d4c8 DOES NOT belong to ANY MODULE!
file :5d d2 90 80
memory :c8 d4 86 8a
verdict = 5
0x8083fdf8 [KiServiceTable[95]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d588 DOES NOT belong to ANY MODULE!
file :5f 0f 91 80
memory :88 d5 86 8a
verdict = 5
0x8083fe40 [KiServiceTable[113]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a885828 DOES NOT belong to ANY MODULE!
file :76 16 93 80
memory :28 58 88 8a
verdict = 5
0x8083fe5c [KiServiceTable[120]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d338 DOES NOT belong to ANY MODULE!
file :46 48 93 80
memory :38 d3 86 8a
verdict = 5
0x8083fe70 [KiServiceTable[125]] 4 byte(s):
KiServiceTable HOOK:
address 0xb9e6d8c0 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
target module path: \??\C:\WINDOWS\system32\Dr
file :b7 e0 93 80
memory :c0 d8 e6 b9
verdict = 2
0x8083fe80 [KiServiceTable[129]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a83da50 DOES NOT belong to ANY MODULE!
file :03 4b 93 80
memory :50 da 83 8a
verdict = 5
0x8083fe98 [KiServiceTable[135]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a9634d8 DOES NOT belong to ANY MODULE!
file :5c d8 91 80
memory :d8 34 96 8a
verdict = 5
0x8083feb8 [KiServiceTable[143]] 4 byte(s):
KiServiceTable HOOK:
address 0xba26b280 is inside wpsdrvnt.sys module [0xba266000-0xba274000]
target module path: \??\C:\WINDOWS\system32\dr
file :8c 10 94 80
memory :80 b2 26 ba
verdict = 2
0x8083fed0 [KiServiceTable[149]] 4 byte(s):
KiServiceTable HOOK:
address 0xf71d77b0 is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
target module path: SysPlant.sys
file :34 0f 94 80
memory :b0 77 1d f7
verdict = 2
0x8083ff18 [KiServiceTable[167]] 4 byte(s):
KiServiceTable HOOK:
address 0xf74422c8 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :21 f3 93 80
memory :c8 22 44 f7
verdict = 2
0x8083ff60 [KiServiceTable[185]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d866 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :7e cb 93 80
memory :66 d8 44 f7
verdict = 2
0x8083ffd4 [KiServiceTable[214]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a821820 DOES NOT belong to ANY MODULE!
file :6b 5e 91 80
memory :20 18 82 8a
verdict = 5
0x8083fff0 [KiServiceTable[221]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a963418 DOES NOT belong to ANY MODULE!
file :1a 41 8f 80
memory :18 34 96 8a
verdict = 5
0x80840030 [KiServiceTable[237]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a869860 DOES NOT belong to ANY MODULE!
file :39 b6 91 80
memory :60 98 86 8a
verdict = 5
0x80840034 [KiServiceTable[238]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7c1460 DOES NOT belong to ANY MODULE!
file :6a 73 92 80
memory :60 14 7c 8a
verdict = 5
0x80840064 [KiServiceTable[250]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d0b0 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :80 f3 9c 80
memory :b0 d0 44 f7
verdict = 2
0x80840094 [KiServiceTable[262]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d278 DOES NOT belong to ANY MODULE!
file :bd 3e 9a 80
memory :78 d2 86 8a
verdict = 5
0x80840098 [KiServiceTable[263]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a8267a8 DOES NOT belong to ANY MODULE!
file :8e 43 8f 80
memory :a8 67 82 8a
verdict = 5
0x808400a4 [KiServiceTable[266]] 4 byte(s):
KiServiceTable HOOK:
address 0xb9e18f20 is inside SASKUTIL.sys module [0xb9e10000-0xb9e31000]
target module path: \??\C:\Program Files\SUPERAntiSpyware\SAS
file :8d 28 91 80
memory :20 8f e1 b9
verdict = 2
0x808400a8 [KiServiceTable[267]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7c13a0 DOES NOT belong to ANY MODULE!
file :6b 1b 92 80
memory :a0 13 7c 8a
verdict = 5
0x808400d0 [KiServiceTable[277]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86a218 DOES NOT belong to ANY MODULE!
file :b2 36 93 80
memory :18 a2 86 8a
verdict = 5
0x808400f8 [KiServiceTable[287]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a824bc0 DOES NOT belong to ANY MODULE!
file :89 a9 91 80
memory :c0 4b 82 8a
verdict = 5
module ntoskrnl.exe: end of details
ntdll.dll (7c800000 - 7c8c0000)... innocent hooking (verdict = 2).
module ntdll.dll [0x7c800000 - 0x7c8c0000]:
0x7c8211fd (section .text) [NtCreateFile()+5] 5 byte(s):
JMPing code (jmp to: 0x617752cb)
address 0x617752cb is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 ce 40 f5 e4
verdict = 2
0x7c82123d (section .text) [NtCreateKey()+5] 5 byte(s):
JMPing code (jmp to: 0x61775305)
address 0x61775305 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 c8 40 f5 e4
verdict = 2
0x7c8212fd (section .text) [NtCreateThread()+5] 5 byte(s):
JMPing code (jmp to: 0x6177533f)
address 0x6177533f is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 42 40 f5 e4
verdict = 2
0x7c82139d (section .text) [NtDeleteFile()+5] 5 byte(s):
JMPing code (jmp to: 0x61775379)
address 0x61775379 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 dc 3f f5 e4
verdict = 2
0x7c8213cd (section .text) [NtDeleteValueKey()+5] 5 byte(s):
JMPing code (jmp to: 0x617753b3)
address 0x617753b3 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 e6 3f f5 e4
verdict = 2
0x7c82169d (section .text) [NtMapViewOfSection()+5] 5 byte(s):
JMPing code (jmp to: 0x617753ed)
address 0x617753ed is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 50 3d f5 e4
verdict = 2
0x7c82172d (section .text) [NtOpenFile()+5] 5 byte(s):
JMPing code (jmp to: 0x61775427)
address 0x61775427 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 fa 3c f5 e4
verdict = 2
0x7c82175d (section .text) [NtOpenKey()+5] 5 byte(s):
JMPing code (jmp to: 0x61775461)
address 0x61775461 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 04 3d f5 e4
verdict = 2
0x7c821c0d (section .text) [NtRenameKey()+5] 5 byte(s):
JMPing code (jmp to: 0x6177549b)
address 0x6177549b is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 8e 38 f5 e4
verdict = 2
0x7c821e1d (section .text) [NtSetInformationFile()+5]
JMPing code (jmp to: 0x617754d5)
address 0x617754d5 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 b8 36 f5 e4
verdict = 2
0x7c821f8d (section .text) [NtSetValueKey()+5] 5 byte(s):
JMPing code (jmp to: 0x6177550f)
address 0x6177550f is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 82 35 f5 e4
verdict = 2
0x7c82202d (section .text) [NtTerminateProcess()+5] 5 byte(s):
JMPing code (jmp to: 0x61775549)
address 0x61775549 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 1c 35 f5 e4
verdict = 2
module ntdll.dll: end of details
SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!
Any help that you may provide will be greatly appreciated!!!
verifying module: [ ntoskrnl.exe] 0%... -
verifying module: [ ftdisk.sys] 9%... -
verifying module: [ disk.sys] 17%... -
verifying module: [ Ntfs.sys] 20%... \
verifying module: [ NDIS.sys] 21%... |
verifying module: [ TDI.SYS] 41%... /
verifying module: [ tcpip.sys] 62%... \
verifying module: [ afd.sys] 65%... \
verifying module: [ ntdll.dll] 92%... -
verifying module: [ kernel32.dll] 93%... \
verifying module: [ ADVAPI32.dll] 95%... \
verifying module: [ PSAPI.DLL] 97%... /
verifying module: [ WS2_32.dll] 97%... -
verifying module: [ USER32.dll] 99%... |
ntoskrnl.exe (80800000 - 80a75000)... suspected! (verdict = 5).
module ntoskrnl.exe [0x80800000 - 0x80a75000]:
0x80834d38 (section .text) 5 byte(s):
JMPing code (jmp to: 0xf71d8bab)
address 0xf71d8bab is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
target module path: SysPlant.sys
file :2b e1 c1 e9 02
memory :e9 73 3e 9a 76
verdict = 2
0x80834e4c (section .text) 1 byte(s): exclusion filter: KiSystemCallExitBranch() [05->06]
file :05
memory :06
verdict = 1
0x8083ab62 (section .text) 18 byte(s): exclusion filter: KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1
0x8083ab7a (section .text) 1 byte(s): exclusion filter: KeFlushCurrentTb() [c3->00]
file :c3
memory :00
verdict = 1
0x8083b0e7 (section .text) [RtlPrefetchMemoryNonTempo
file :c3
memory :90
verdict = 1
0x8083fcb0 [KiServiceTable[13]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d648 DOES NOT belong to ANY MODULE!
file :78 3f 9a 80
memory :48 d6 86 8a
verdict = 5
0x8083fcb4 [KiServiceTable[14]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a8266a0 DOES NOT belong to ANY MODULE!
file :2d 93 91 80
memory :a0 66 82 8a
verdict = 5
0x8083fcc4 [KiServiceTable[18]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7c4468 DOES NOT belong to ANY MODULE!
file :2b 2d 85 80
memory :68 44 7c 8a
verdict = 5
0x8083fce8 [KiServiceTable[27]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d818 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :ce ae 92 80
memory :18 d8 44 f7
verdict = 2
0x8083fd28 [KiServiceTable[43]] 4 byte(s):
KiServiceTable HOOK:
address 0xb9e6d330 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
target module path: \??\C:\WINDOWS\system32\Dr
file :9f f6 93 80
memory :30 d3 e6 b9
verdict = 2
0x8083fd30 [KiServiceTable[45]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d3f8 DOES NOT belong to ANY MODULE!
file :50 1b 94 80
memory :f8 d3 86 8a
verdict = 5
0x8083fd38 [KiServiceTable[47]] 4 byte(s):
KiServiceTable HOOK:
address 0xf7441a20 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :73 c6 8c 80
memory :20 1a 44 f7
verdict = 2
0x8083fd58 [KiServiceTable[55]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7e6648 DOES NOT belong to ANY MODULE!
file :51 58 91 80
memory :48 66 7e 8a
verdict = 5
0x8083fda8 [KiServiceTable[75]] 4 byte(s):
KiServiceTable HOOK:
address 0xf74422a8 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :5d fc 93 80
memory :a8 22 44 f7
verdict = 2
0x8083fdb0 [KiServiceTable[77]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d910 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :20 00 94 80
memory :10 d9 44 f7
verdict = 2
0x8083fdd8 [KiServiceTable[87]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a824af0 DOES NOT belong to ANY MODULE!
file :10 41 85 80
memory :f0 4a 82 8a
verdict = 5
0x8083fdf0 [KiServiceTable[93]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d4c8 DOES NOT belong to ANY MODULE!
file :5d d2 90 80
memory :c8 d4 86 8a
verdict = 5
0x8083fdf8 [KiServiceTable[95]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d588 DOES NOT belong to ANY MODULE!
file :5f 0f 91 80
memory :88 d5 86 8a
verdict = 5
0x8083fe40 [KiServiceTable[113]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a885828 DOES NOT belong to ANY MODULE!
file :76 16 93 80
memory :28 58 88 8a
verdict = 5
0x8083fe5c [KiServiceTable[120]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d338 DOES NOT belong to ANY MODULE!
file :46 48 93 80
memory :38 d3 86 8a
verdict = 5
0x8083fe70 [KiServiceTable[125]] 4 byte(s):
KiServiceTable HOOK:
address 0xb9e6d8c0 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
target module path: \??\C:\WINDOWS\system32\Dr
file :b7 e0 93 80
memory :c0 d8 e6 b9
verdict = 2
0x8083fe80 [KiServiceTable[129]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a83da50 DOES NOT belong to ANY MODULE!
file :03 4b 93 80
memory :50 da 83 8a
verdict = 5
0x8083fe98 [KiServiceTable[135]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a9634d8 DOES NOT belong to ANY MODULE!
file :5c d8 91 80
memory :d8 34 96 8a
verdict = 5
0x8083feb8 [KiServiceTable[143]] 4 byte(s):
KiServiceTable HOOK:
address 0xba26b280 is inside wpsdrvnt.sys module [0xba266000-0xba274000]
target module path: \??\C:\WINDOWS\system32\dr
file :8c 10 94 80
memory :80 b2 26 ba
verdict = 2
0x8083fed0 [KiServiceTable[149]] 4 byte(s):
KiServiceTable HOOK:
address 0xf71d77b0 is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
target module path: SysPlant.sys
file :34 0f 94 80
memory :b0 77 1d f7
verdict = 2
0x8083ff18 [KiServiceTable[167]] 4 byte(s):
KiServiceTable HOOK:
address 0xf74422c8 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :21 f3 93 80
memory :c8 22 44 f7
verdict = 2
0x8083ff60 [KiServiceTable[185]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d866 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :7e cb 93 80
memory :66 d8 44 f7
verdict = 2
0x8083ffd4 [KiServiceTable[214]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a821820 DOES NOT belong to ANY MODULE!
file :6b 5e 91 80
memory :20 18 82 8a
verdict = 5
0x8083fff0 [KiServiceTable[221]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a963418 DOES NOT belong to ANY MODULE!
file :1a 41 8f 80
memory :18 34 96 8a
verdict = 5
0x80840030 [KiServiceTable[237]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a869860 DOES NOT belong to ANY MODULE!
file :39 b6 91 80
memory :60 98 86 8a
verdict = 5
0x80840034 [KiServiceTable[238]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7c1460 DOES NOT belong to ANY MODULE!
file :6a 73 92 80
memory :60 14 7c 8a
verdict = 5
0x80840064 [KiServiceTable[250]] 4 byte(s):
KiServiceTable HOOK:
address 0xf744d0b0 is inside d347bus.sys module [0xf7440000-0xf7466000]
target module path: d347bus.sys
file :80 f3 9c 80
memory :b0 d0 44 f7
verdict = 2
0x80840094 [KiServiceTable[262]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86d278 DOES NOT belong to ANY MODULE!
file :bd 3e 9a 80
memory :78 d2 86 8a
verdict = 5
0x80840098 [KiServiceTable[263]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a8267a8 DOES NOT belong to ANY MODULE!
file :8e 43 8f 80
memory :a8 67 82 8a
verdict = 5
0x808400a4 [KiServiceTable[266]] 4 byte(s):
KiServiceTable HOOK:
address 0xb9e18f20 is inside SASKUTIL.sys module [0xb9e10000-0xb9e31000]
target module path: \??\C:\Program Files\SUPERAntiSpyware\SAS
file :8d 28 91 80
memory :20 8f e1 b9
verdict = 2
0x808400a8 [KiServiceTable[267]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a7c13a0 DOES NOT belong to ANY MODULE!
file :6b 1b 92 80
memory :a0 13 7c 8a
verdict = 5
0x808400d0 [KiServiceTable[277]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a86a218 DOES NOT belong to ANY MODULE!
file :b2 36 93 80
memory :18 a2 86 8a
verdict = 5
0x808400f8 [KiServiceTable[287]] 4 byte(s):
KiServiceTable HOOK:
address 0x8a824bc0 DOES NOT belong to ANY MODULE!
file :89 a9 91 80
memory :c0 4b 82 8a
verdict = 5
module ntoskrnl.exe: end of details
ntdll.dll (7c800000 - 7c8c0000)... innocent hooking (verdict = 2).
module ntdll.dll [0x7c800000 - 0x7c8c0000]:
0x7c8211fd (section .text) [NtCreateFile()+5] 5 byte(s):
JMPing code (jmp to: 0x617752cb)
address 0x617752cb is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 ce 40 f5 e4
verdict = 2
0x7c82123d (section .text) [NtCreateKey()+5] 5 byte(s):
JMPing code (jmp to: 0x61775305)
address 0x61775305 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 c8 40 f5 e4
verdict = 2
0x7c8212fd (section .text) [NtCreateThread()+5] 5 byte(s):
JMPing code (jmp to: 0x6177533f)
address 0x6177533f is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 42 40 f5 e4
verdict = 2
0x7c82139d (section .text) [NtDeleteFile()+5] 5 byte(s):
JMPing code (jmp to: 0x61775379)
address 0x61775379 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 dc 3f f5 e4
verdict = 2
0x7c8213cd (section .text) [NtDeleteValueKey()+5] 5 byte(s):
JMPing code (jmp to: 0x617753b3)
address 0x617753b3 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 e6 3f f5 e4
verdict = 2
0x7c82169d (section .text) [NtMapViewOfSection()+5] 5 byte(s):
JMPing code (jmp to: 0x617753ed)
address 0x617753ed is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 50 3d f5 e4
verdict = 2
0x7c82172d (section .text) [NtOpenFile()+5] 5 byte(s):
JMPing code (jmp to: 0x61775427)
address 0x61775427 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 fa 3c f5 e4
verdict = 2
0x7c82175d (section .text) [NtOpenKey()+5] 5 byte(s):
JMPing code (jmp to: 0x61775461)
address 0x61775461 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 04 3d f5 e4
verdict = 2
0x7c821c0d (section .text) [NtRenameKey()+5] 5 byte(s):
JMPing code (jmp to: 0x6177549b)
address 0x6177549b is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 8e 38 f5 e4
verdict = 2
0x7c821e1d (section .text) [NtSetInformationFile()+5]
JMPing code (jmp to: 0x617754d5)
address 0x617754d5 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 b8 36 f5 e4
verdict = 2
0x7c821f8d (section .text) [NtSetValueKey()+5] 5 byte(s):
JMPing code (jmp to: 0x6177550f)
address 0x6177550f is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 82 35 f5 e4
verdict = 2
0x7c82202d (section .text) [NtTerminateProcess()+5] 5 byte(s):
JMPing code (jmp to: 0x61775549)
address 0x61775549 is inside SYSFER.DLL module [0x61750000-0x617b2000]
target module path: C:\WINDOWS\SYSTEM32\SYSFER
file :ba 00 03 fe 7f
memory :e9 1c 35 f5 e4
verdict = 2
module ntdll.dll: end of details
SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!
ASKER
Sorry it looks like I have posted the same question twice. If you search the knowledge base for rootkit on domain controller you will find the logs attached on that posted question. I am also concerned that the results are inconclusive. However I definately want to get to the bottom of this and would certainly appreciate your input. I will post the logs for hijack this, icesword failed to initalize, rootkit revealer error dumping hives and couldn't mount the volume. I can say that real vnc has been wide open since 2004, and that the server nor the workstations have been patched for a couple of years. They have a wireless router with wep enabled in a college town that primarily focuses on technology comp sci etc. In saying that I find it very hard to believe that their network has not been compromised in some form.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So far, it's not conclusive and although the areas of memory without reference to loaded modules might be cause for concern, it might be your symantec software protecting itself.
The evilbot may be a false positive arising from SAS's detection of a symantec file named winexec.exe. You could upload this file to Virus Total at http://www.virustotal.com/ to be analysed - it may well come back as http://www.virustotal.com/analisis/705cbc083b5dffe68f9eb8c565b1f296.
Do post the other rootkit reports.