Jump to content

Hale.exe/Driver injection


Recommended Posts

Hello guys, recently i watched into my router logs and found much UDP/TCP/SYN Floods.

I made several scans with Hijackthis, Anti Maleware(Of course :)), GMER, OTL, TFC and an application with a Lion as icon. I forgot the name because i had to rename it for security reasons.

Anyway, to cut a long story short, i made scans. Anti Maleware did find "hale.exe" it got removed. After restarting it was there again. Also, a driver gets injected into Windows.

Every inject it gets a different name, it's invisible in the explorer, it does not get shown in the cmd with 'dir', but i can upload it on virustotal if i change into the "drivers" directory and write the file manually.

The Checksum is the same every inject. Here is my GMER Log, i marked the bad guy bold:

]GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-21 21:57:42

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_SP0411N rev.TW100-11

Running: nu8bzg28.exe; Driver: C:\Users\Tsuyo\AppData\Local\Temp\pxldqpob.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E87599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EABF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

? System32\Drivers\spih.sys Das System kann den angegebenen Pfad nicht finden. !

.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E803000, 0x341E0C, 0xE8000020]

.text USBPORT.SYS!DllUnload 8EFC8CA0 5 Bytes JMP 85D7D1D8

.text aflwszsa.SYS 8F788000 12 Bytes [44, 28, E1, 82, EE, 26, E1, ...]

.text aflwszsa.SYS 8F78800D 9 Bytes [07, E1, 82, 48, 2B, E1, 82, ...] {POP ES; LOOPZ 0xffffffffffffff85; DEC EAX; SUB ESP, ECX; ADD BYTE [EAX], 0x0}

.text aflwszsa.SYS 8F788017 155 Bytes [00, DE, 97, D3, 88, E6, 95, ...]

.text aflwszsa.SYS 8F7880B3 14 Bytes JMP EAE2C082

.text aflwszsa.SYS 8F7880C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}

.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88C3D042] \SystemRoot\System32\Drivers\spih.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88C3D6D6] \SystemRoot\System32\Drivers\spih.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88C3D800] \SystemRoot\System32\Drivers\spih.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88C3D13E] \SystemRoot\System32\Drivers\spih.sys

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortNotification] 00147880

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortStallExecution] C25DC033

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortInitialize] 157B805E

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500

IAT \SystemRoot\System32\Drivers\aflwszsa.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 859321F8

Device \FileSystem\fastfat \FatCdrom 87619500

Device \Driver\USBSTOR \Device\0000008e 85C221F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{9E738E08-85AC-4E8F-B520-2B95CC0CD492} 85C11500

Device \Driver\volmgr \Device\VolMgrControl 84C951F8

Device \Driver\usbohci \Device\USBPDO-0 85D801F8

Device \Driver\usbohci \Device\USBPDO-1 85D801F8

Device \Driver\sptd \Device\1381414326 spih.sys

Device \Driver\usbohci \Device\USBPDO-2 85D801F8

Device \Driver\usbohci \Device\USBPDO-3 85D801F8

Device \Driver\usbohci \Device\USBPDO-4 85D801F8

Device \Driver\usbehci \Device\USBPDO-5 85D811F8

Device \Driver\volmgr \Device\HarddiskVolume1 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 86A9C1F8

Device \Driver\volmgr \Device\HarddiskVolume3 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 84C971F8

Device \Driver\atapi \Device\Ide\IdePort0 84C971F8

Device \Driver\atapi \Device\Ide\IdePort1 84C971F8

Device \Driver\atapi \Device\Ide\IdePort2 84C971F8

Device \Driver\atapi \Device\Ide\IdePort3 84C971F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84C971F8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-5 84C971F8

Device \Driver\cdrom \Device\CdRom1 86A9C1F8

Device \Driver\PCI_PNP5576 \Device\00000066 spih.sys

Device \Driver\cdrom \Device\CdRom2 86A9C1F8

Device \Driver\volmgr \Device\HarddiskVolume4 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume5 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume6 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume7 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 85C11500

Device \Driver\volmgr \Device\HarddiskVolume8 84C951F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000005e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

Device \Driver\usbohci \Device\USBFDO-0 85D801F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{FBCCCC2C-D69E-42DD-89C8-BF7E08CB474B} 85C11500

Device \Driver\usbohci \Device\USBFDO-1 85D801F8

Device \Driver\usbohci \Device\USBFDO-2 85D801F8

Device \Driver\usbohci \Device\USBFDO-3 85D801F8

Device \Driver\usbohci \Device\USBFDO-4 85D801F8

Device \Driver\usbehci \Device\USBFDO-5 85D811F8

Device \Driver\aflwszsa \Device\Scsi\aflwszsa1 85DD9500

Device \Driver\aflwszsa \Device\Scsi\aflwszsa1Port4Path0Target0Lun0 85DD9500

Device \Driver\aflwszsa \Device\Scsi\aflwszsa1Port4Path0Target2Lun0 85DD9500

Device \Driver\aflwszsa \Device\Scsi\aflwszsa1Port4Path0Target1Lun0 85DD9500

Device \Driver\USBSTOR \Device\0000008d 85C221F8

Device \FileSystem\fastfat \Fat 87619500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0xC3 0xF8 0x67 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x40 0x34 0x8C 0xAE ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB0 0xEB 0x85 0x7A ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x14 0x62 0x28 0xEF ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x14 0x62 0x28 0xEF ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0xC3 0xF8 0x67 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x40 0x34 0x8C 0xAE ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB0 0xEB 0x85 0x7A ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x14 0x62 0x28 0xEF ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x14 0x62 0x28 0xEF ...

Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 2

Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\00000000-0000-0004-0000-0023087BD5AB@Alive 1

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Tsuyo\Downloads\\xa7SAsd.exe 1

HIJackThis:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:26:37, on 22.12.2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16671)

Boot mode: Normal

Running processes:

C:\Program Files\TeamViewer\Version6\TeamViewer.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Media Player\WMPSideShowGadget.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Logitech Gaming Software\LCore.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Mozilla Firefox 4.0 Beta 8\firefox.exe

C:\Program Files\Mozilla Firefox 4.0 Beta 8\plugin-container.exe

C:\Users\Tsuyo\Downloads\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Launch LCore] "C:\Program Files\Logitech Gaming Software\LCore.exe" /minimized

O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [steam] "D:\Program Files\Steam\steam.exe" -silent

O4 - HKCU\..\Run: [FwPapi] C:\Program Files\Firewall PAPI\FirewallPApi.exe

O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: An vorhandene PDF-Datei anf

Link to post
Share on other sites

:lol:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.