Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Search the Community

Showing results for tags 'ssdt hooks'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Nebula
    • Malwarebytes Nebula Modules
    • Malwarebytes Endpoint Security
    • Other Malwarebytes Business Products
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 1 result

  1. I run malwarebytes as a routine check-up on a regular basis on my XP computer and this time it popped up a malware file called adware.domianIQ which it killed off. So I ran spybot S&D to confirm nothing else was missed and it popped up a directory folder under my application data called "conduit", which it said was related to the win32.downloader.gen malware. It did not actually find that malware file, and the folder was deleted. (The folder appeared to have been created around 2010) I decided to run malwarebytes anti-rootkit as well to doublecheck everything was OK, and I've used it before even though it still says it's a beta version, it's never caused me any problems. The report from that program came up clean, but I began reading other posts here and at other forums and decided to use the program "roguekiller" as a way to double-check the rootkit situation as I have seen having more than one program for each aspect of cleaning often is better than one. The roguekiller program found some questionable things and it corrected what it could. It removed all the local 127.0.0.1 website redirects which one of my security programs placed in my hosts file at some time to block access to all those sites, and I think this could have been left alone. Nothing else terribly serious like an actual rootkit file. But what really concerns me is all the unknown SSDT hooks it found which I thought it would correct, but it just removed the ones that refered to mbamchameleon after I hit the "delete button". I only know a little bit about rootkits and I was told that they use these types of hooks to bury themselves into the windows kernel, and this many unknown hooks really looks suspicious to me. Several other hooks were listed as related to symantec (which must be norton internet security finding a way to protect itself) and under the category "legit" it labeled these hooks as "true", so the only ones it prints in these reports are the hooks it labeled as "false" under their "legit" heading: ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[12] : NtAlertResumeThread @ 0x80635F32 -> HOOKED (Unknown @ 0x8A78B3A0) [Address] SSDT[13] : NtAlertThread @ 0x80581F8C -> HOOKED (Unknown @ 0x8A7A3AC8) [Address] SSDT[17] : NtAllocateVirtualMemory @ 0x8056FBB6 -> HOOKED (Unknown @ 0x8A785008) [Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805A975C -> HOOKED (Unknown @ 0x8A7AC080) [Address] SSDT[31] : NtConnectPort @ 0x80591DCA -> HOOKED (Unknown @ 0x8AA5BB28) [Address] SSDT[43] : NtCreateMutant @ 0x8057D470 -> HOOKED (Unknown @ 0x8A05D680) [Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805A86E8 -> HOOKED (Unknown @ 0x8A7CB060) [Address] SSDT[53] : NtCreateThread @ 0x805840DD -> HOOKED (Unknown @ 0x8A66F528) [Address] SSDT[57] : NtDebugActiveProcess @ 0x80660711 -> HOOKED (Unknown @ 0x8A7AC160) [Address] SSDT[68] : NtDuplicateObject @ 0x8057E299 -> HOOKED (Unknown @ 0x8A0FE3F0) [Address] SSDT[83] : NtFreeVirtualMemory @ 0x805700B0 -> HOOKED (Unknown @ 0x8A7C5148) [Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x80599621 -> HOOKED (Unknown @ 0x8A05D770) [Address] SSDT[91] : NtImpersonateThread @ 0x80586AD6 -> HOOKED (Unknown @ 0x8A78B2C0) [Address] SSDT[97] : NtLoadDriver @ 0x805B9849 -> HOOKED (Unknown @ 0x8A820228) [Address] SSDT[108] : unknown @ 0x8057C120 -> HOOKED (Unknown @ 0x8A7C5068) [Address] SSDT[114] : NtOpenEvent @ 0x8058F5DD -> HOOKED (Unknown @ 0x8A77D1A0) [Address] SSDT[122] : NtOpenProcess @ 0x8057964C -> HOOKED (C:\WINDOWS\SYSTEM32\DRIVERS\mbamchameleon.sys @ 0xB3F08C4C) [Address] SSDT[123] : NtOpenProcessToken @ 0x805774B2 -> HOOKED (Unknown @ 0x8A75F138) [Address] SSDT[125] : NtOpenSection @ 0x8057CF33 -> HOOKED (Unknown @ 0x8A7D81A0) [Address] SSDT[128] : NtOpenThread @ 0x805B13C6 -> HOOKED (C:\WINDOWS\SYSTEM32\DRIVERS\mbamchameleon.sys @ 0xB3F08D3C) [Address] SSDT[137] : NtProtectVirtualMemory @ 0x80583D91 -> HOOKED (Unknown @ 0x8A7CB150) [Address] SSDT[206] : NtResumeThread @ 0x80584754 -> HOOKED (Unknown @ 0x8A7A3BA8) [Address] SSDT[213] : NtSetContextThread @ 0x806340DB -> HOOKED (Unknown @ 0x8A7D1110) [Address] SSDT[228] : NtSetInformationProcess @ 0x80573B37 -> HOOKED (Unknown @ 0x8A7D1008) [Address] SSDT[240] : NtSetSystemInformation @ 0x805E5EDD -> HOOKED (Unknown @ 0x8A7D8078) [Address] SSDT[253] : NtSuspendProcess @ 0x80635E77 -> HOOKED (Unknown @ 0x8A77D0E0) [Address] SSDT[254] : NtSuspendThread @ 0x80635D93 -> HOOKED (Unknown @ 0x8A77F0F0) [Address] SSDT[257] : NtTerminateProcess @ 0x8058C3F5 -> HOOKED (Unknown @ 0x8A7D6050) [Address] SSDT[258] : unknown @ 0x805815E5 -> HOOKED (Unknown @ 0x8A77F008) [Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057BCA8 -> HOOKED (Unknown @ 0x8A7DE138) [Address] SSDT[277] : NtWriteVirtualMemory @ 0x805869E5 -> HOOKED (Unknown @ 0x8A785098) [Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8AB9A158) [Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A7F3E50) [Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A7F3F00) [Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A75CB70) [Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8AB94518) [Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A79D530) [Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8ABFF900) [Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A01C220) [Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8AC0A098) [Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x89FCC6C8) After the delete button, I see hooks to the mbamchameleon have been removed, but not all these others: ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[12] : NtAlertResumeThread @ 0x80635F32 -> HOOKED (Unknown @ 0x8A859118) [Address] SSDT[13] : NtAlertThread @ 0x80581F8C -> HOOKED (Unknown @ 0x8A859008) [Address] SSDT[17] : NtAllocateVirtualMemory @ 0x8056FBB6 -> HOOKED (Unknown @ 0x8A7D4150) [Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805A975C -> HOOKED (Unknown @ 0x8A89E0F8) [Address] SSDT[31] : NtConnectPort @ 0x80591DCA -> HOOKED (Unknown @ 0x8AA39548) [Address] SSDT[43] : NtCreateMutant @ 0x8057D470 -> HOOKED (Unknown @ 0x8A839090) [Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805A86E8 -> HOOKED (Unknown @ 0x8A8510E8) [Address] SSDT[53] : NtCreateThread @ 0x805840DD -> HOOKED (Unknown @ 0x8A7D6A00) [Address] SSDT[57] : NtDebugActiveProcess @ 0x80660711 -> HOOKED (Unknown @ 0x8A844050) [Address] SSDT[68] : NtDuplicateObject @ 0x8057E299 -> HOOKED (Unknown @ 0x8A7F5108) [Address] SSDT[83] : NtFreeVirtualMemory @ 0x805700B0 -> HOOKED (Unknown @ 0x8A850108) [Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x80599621 -> HOOKED (Unknown @ 0x8A839160) [Address] SSDT[91] : NtImpersonateThread @ 0x80586AD6 -> HOOKED (Unknown @ 0x8A859058) [Address] SSDT[97] : NtLoadDriver @ 0x805B9849 -> HOOKED (Unknown @ 0x8AA39510) [Address] SSDT[108] : unknown @ 0x8057C120 -> HOOKED (Unknown @ 0x8A875008) [Address] SSDT[114] : NtOpenEvent @ 0x8058F5DD -> HOOKED (Unknown @ 0x8A839058) [Address] SSDT[122] : NtOpenProcess @ 0x8057964C -> HOOKED (Unknown @ 0x8A7F92C0) [Address] SSDT[123] : NtOpenProcessToken @ 0x805774B2 -> HOOKED (Unknown @ 0x8A7F7198) [Address] SSDT[125] : NtOpenSection @ 0x8057CF33 -> HOOKED (Unknown @ 0x8A881058) [Address] SSDT[128] : NtOpenThread @ 0x805B13C6 -> HOOKED (Unknown @ 0x8A7F5008) [Address] SSDT[137] : NtProtectVirtualMemory @ 0x80583D91 -> HOOKED (Unknown @ 0x8A851008) [Address] SSDT[206] : NtResumeThread @ 0x80584754 -> HOOKED (Unknown @ 0x8A8430E0) [Address] SSDT[213] : NtSetContextThread @ 0x806340DB -> HOOKED (Unknown @ 0x8A880160) [Address] SSDT[228] : NtSetInformationProcess @ 0x80573B37 -> HOOKED (Unknown @ 0x8A875080) [Address] SSDT[240] : NtSetSystemInformation @ 0x805E5EDD -> HOOKED (Unknown @ 0x8A8440D0) [Address] SSDT[253] : NtSuspendProcess @ 0x80635E77 -> HOOKED (Unknown @ 0x8A8810D8) [Address] SSDT[254] : NtSuspendThread @ 0x80635D93 -> HOOKED (Unknown @ 0x8A8431A0) [Address] SSDT[257] : NtTerminateProcess @ 0x8058C3F5 -> HOOKED (Unknown @ 0x8A7F3320) [Address] SSDT[258] : unknown @ 0x805815E5 -> HOOKED (Unknown @ 0x8A8800A0) [Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057BCA8 -> HOOKED (Unknown @ 0x8A6EF198) [Address] SSDT[277] : NtWriteVirtualMemory @ 0x805869E5 -> HOOKED (Unknown @ 0x8A850008) [Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A84AF00) [Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A03F0E0) [Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A057438) [Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A16D4D8) [Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A0574F8) [Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A057C88) [Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A057A60) [Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A057970) [Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A822758) [Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A09A830) The MBR for my drive is intact and OK according to roguekiller. I ran TDDSKiller next to see what that brought up and all it showed were 9 questionable unsigned files and I quarantined 7 of them before I delete them as I'd like to research them a bit further. (The default option available was just "skip", not "cure" as I've been told comes up when a dangerous rootkit file is found.) 01:17:09.0328 0904 Scan finished 01:17:09.0328 0904 ============================================================ 01:17:09.0437 0896 Detected object count: 9 01:17:09.0437 0896 Actual detected object count: 9 01:20:50.0390 0896 Adobe LM Service ( UnsignedFile.Multi.Generic ) - skipped by user 01:20:50.0390 0896 Adobe LM Service ( UnsignedFile.Multi.Generic ) - User select action: Skip 01:20:50.0468 0896 C:\WINDOWS\system32\drivers\aslm75.sys - copied to quarantine 01:20:50.0468 0896 aslm75 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 01:20:50.0562 0896 C:\WINDOWS\system32\HPZinw12.dll - copied to quarantine 01:20:50.0562 0896 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 01:20:50.0625 0896 C:\WINDOWS\system32\HPZipm12.dll - copied to quarantine 01:20:50.0625 0896 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 01:20:50.0703 0896 C:\WINDOWS\system32\Drivers\PxHelp20.sys - copied to quarantine 01:20:50.0703 0896 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 01:20:50.0750 0896 C:\WINDOWS\system32\Drivers\Scutum50.sys - copied to quarantine 01:20:50.0750 0896 Scutum50 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 01:20:50.0828 0896 C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS - copied to quarantine 01:20:50.0828 0896 TVICHW32 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 01:20:50.0828 0896 yukonx86 ( UnsignedFile.Multi.Generic ) - skipped by user 01:20:50.0828 0896 yukonx86 ( UnsignedFile.Multi.Generic ) - User select action: Skip 01:20:50.0875 0896 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine 01:20:50.0875 0896 \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine 01:20:50.0890 0896 \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine 01:20:50.0890 0896 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine 01:20:50.0890 0896 \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine 01:20:50.0937 0896 \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine 01:20:50.0937 0896 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Quarantine The two I left alone were an Adobe License manager file for Adobe software I purchased and a yukon86 file for the old yukon marvel ethernet card I still use. But when I quarantined these 7 files, my Norton Internet Security popped up and suddenly said something related to the TDSS file system was malware, it flagged a file called tsk.0004.dta as something it calls ws.malware.2. Looking at Symantec site, it describes this as a common threat signature which is dangerous, but does not say exactly what it is or was. It's been tagged because of their "heuristic function" which thinks it looks like other knoww malware I guess. It was removed from my computer. So at this point I'm wondering if I'm OK or not. I still run XP and the computer has been working fine, I have not noticed any pop up windows or misdirects on web pages, and if I never ran the RogueKiller program, I may have never even been concerned as the 2 other anti-rootkit removal programs did their thing and did not report finding any serious files that needed curing. I'd appreciate any feedback from this forum, I know there are other programs out there that are supposed to identify the hooks and even give me a way to delete them, but I'm not sure where to turn or what software would be best to use. If these hooks are somehow legit, I'd really like to confirm that too. Thanks.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.