looking for help on analysing rootkitscan result (spybot search and destroy)

[RickD]

Hello all,

After performing a rootkitscan with spybot search and destroy, these results are detected:

1 KGyGaAvL.sys in c:\Windows\SysWOW64\ (no administrator acl)

2 KGyGaAvL.sys in c:\Windows\System32\ (no administrator acl)

3 DRM:[arab text]:$DATA in c:\Users\Public\ (unknown ads)

Some googling tells me that the first/second one seem to be be legit and are part of divx.

The third one: i have no idea what the hell that is.

Also the 2nd and 3rd don't seem to show up in any file list (both explorer and command line) ?!

Removing these 3 with spybot s&d doesn't seem to do anything, they keep showing up.

Anybody seen these before and knows what to make of this?

Thanks for any help on this!

Regards, Rick

[digip]

Set your folders to allow viewing of hidden and system files, see if you can find, copy and upload to virustotal. That would be the first thing I'd check. Even booting in safemode with networking, if you really fear they are malware, just to be safe since they don't look to be default windows system files, they shouldn't load in safemode.

If you have any divx software installed, remove it and then test again. If they still show, then I'd be more worried, as they seem to be part of "Dr Divx". If you want to watch videos encoded in DIVX, default media player should work, but I'd not even use that and just switch to VLC. Windows media player tends to be craptastic and have as many system crashing issues anyway, just in itself.

[RickD]

19 hours ago, digip said:

Set your folders to allow viewing of hidden and system files, see if you can find, copy and upload to virustotal. That would be the first thing I'd check. Even booting in safemode with networking, if you really fear they are malware, just to be safe since they don't look to be default windows system files, they shouldn't load in safemode.

If you have any divx software installed, remove it and then test again. If they still show, then I'd be more worried, as they seem to be part of "Dr Divx". If you want to watch videos encoded in DIVX, default media player should work, but I'd not even use that and just switch to VLC. Windows media player tends to be craptastic and have as many system crashing issues anyway, just in itself.

Thanks for the answer. After some more research and a boot from a puppy/slacko linux cd to look into the files (2 and 3 are really not there as far as i can see) , i think this is a case of false positives.

Which brings me to the next question. Puppy/Slacko linux is a nice thing for the easy stuff, but can anybody point me to a free .iso of a boot cd/dvd with a good set of tools (fdisk. mbr tools, imaging, memtest, hd test, hex editor, etc ..)  on it (windows seems to have lost the boot/rescue cd/dvd/usb option). I'm sure something like that is out there, but i haven't been able to locate it so far.

[PoSHMagiC0de]

2 hours ago, RickD said:

Thanks for the answer. After some more research and a boot from a puppy/slacko linux cd to look into the files (2 and 3 are really not there as far as i can see) , i think this is a case of false positives.

Which brings me to the next question. Puppy/Slacko linux is a nice thing for the easy stuff, but can anybody point me to a free .iso of a boot cd/dvd with a good set of tools (fdisk. mbr tools, imaging, memtest, hd test, hex editor, etc ..)  on it (windows seems to have lost the boot/rescue cd/dvd/usb option). I'm sure something like that is out there, but i haven't been able to locate it so far.

I just install a linux distro to a 32GB USB.  Made one for my boss too.  A lot of people will use the live USB with persistent storage.  I made the whole thing persistent so I can treat it like a mobile linux machine.

I started with Ubuntu, later had a Kali USB and in the end I have an encrypted ParrotOS USB stick. I have all the tools I have on my linux laptop on the USB and can do the same things when booting up a machine from it minus reading a drive that UEFI which is different.  You can use Sleuthkit to recover files or image image the drive to another USB drive that is big enough to hold the image to inspect later.

I used VirtualBox to make it.  Installed the latest version, added the additions so USB would work right in it.  Created a new virtual machine with no HD and the OS like ISO as my boot media.  I configured USB in virtualbox and plugged in my USB stick to add it to the list in virtual box.  I then booted up the VM and installed the OS to the USB like I would be installing it on a regular machine.  When all done I remove the USB and boot it from a real machine (with internal HD disabled so when I do update I do not get a menu item of the local machine's OS in my grub menu) that has internet and then do my update, upgrade autoremove, extra installs, configurations, etc.  When done just shutdown and the USB is ready.

This helped me recover files from customers who had crashed bare metal server and other things.  Been trying to find a good virus scanner that can run on Linux but understand Windows file structure to accurately find viruses but when it is that bad I recover files with the USB and then wipe the machine anyway to redo to avoid potentially missing hidden buggies.

[digip]

4 hours ago, RickD said:

Thanks for the answer. After some more research and a boot from a puppy/slacko linux cd to look into the files (2 and 3 are really not there as far as i can see) , i think this is a case of false positives.

Which brings me to the next question. Puppy/Slacko linux is a nice thing for the easy stuff, but can anybody point me to a free .iso of a boot cd/dvd with a good set of tools (fdisk. mbr tools, imaging, memtest, hd test, hex editor, etc ..)  on it (windows seems to have lost the boot/rescue cd/dvd/usb option). I'm sure something like that is out there, but i haven't been able to locate it so far.

Um, Kali? Full linux distro and supported repo of tools. Live boot, reset passwords, remove files/malware or copy off safely for inspection.

 

Also, on the other files, from my understanding the divx app recreates them when loaded or when needed, but never hurts to be safe. The third one, no idea, upload to virus total, or some other malware sandbox site like Anubis(not sure if they still exist)

[RickD]

On 29-8-2017 at 10:40 PM, digip said:

Um, Kali? Full linux distro and supported repo of tools. Live boot, reset passwords, remove files/malware or copy off safely for inspection.

 

I've been playing around with kali live persistence last week, and decided i need a full bootable install on the stick for it to be usable.

I have two questions about that:

1) Is a usb stick robust enough to run an os from, or does it fail after 100.000 or something writes, and should i use a usb harddrive instead.

2) Is it possible to make it boot from the usb stick/drive directly (not the mbr on my hd) by using the default kali installer, or does it need some custom grub installation. This whole thing seems to be extremely tricky anyway and is probably best done when the main hd is unplugged.

Regards,

Rick

[digip]

1) - USB  Thumb drives come in many sizes, and are more than robust enough, just going to be slower than a  full install to native HDD boots. Same for USB HDD, although I'd just use a thumb drive and save the HDD for backup storage or such. Thumbdrive is more portable and easier to carry, and can be both a full install, or live install with persistence.

2) - USB booting is more or less the setup of the machine you plug into. You need to either have the boot order set in the bios to boot from USB first, before CD and HDD, or, F9(or whatever the machines settings are on this) on boot and select the USB drive to boot from directly.

Few caveats to #2. 1, if the system is UEFI/EFI booting(WIndows 8 and later and certain versions of MAC OS), you need an EFI setup on the thumb-drive, otherwise, you need to change the bios to disable EFI and allow legacy booting. If you don't, the system may not even see the thumbdrive, and will skip right to the main OS. Check docs.kali.org on how to setup a USB with UEFI.

Kali 2017.1 will allow you to install with UEFI natively to the HDD as well, if you wanted to dual boot the system. You'd still have to select the boot order, unless you wipe windows MBR and go with grube to chain load, but I'd say leave it alone and do the F9 trick on boot to select which OS Drive to boot from. That is what I ended up doing on my laptop which now dual boots Windows 8 and Kali. It defaults to boot windows, but if I press F9 on boot, I can then select kali instead, but this is BIOS dependent with UEFI settings for my machine. Yours may be different.

If you want speed(and space) dual booting would be the way to go and install to native hardware. Wifi tools and others will work much better on native hardware as well. Especially if you've been playing with it in a VM. Most everything will work fine in a VM, with some exceptions to a few USB wireless cards which is generally OS and hardware related issues, but that's for another thread and you can see plenty of posts here with others experiencing issues on VM's and what Wifi cards work and don't 100%.