eScan - Antivirus & Content Security Forum

[SHIVSWAMI VERMA]

How to kill individual process from module svchost.exe and or rundll32.exe. gmer tool is showing one hidden activity on module but not able to stop or delete. the report is as follows:
GMER 1.0.15.15220 - http://www.gmer.net

Rootkit scan 2009-11-13 15:09:11

Windows 5.1.2600 Service Pack 2

Running: TEST.exe; Driver: C:\DOCUME~1\KUNDAN~1.GD~\LOCALS~1\Temp\uwtdrpog.sys



---- System - GMER 1.0.15 ----


Code \??\C:\DOCUME~1\KUNDAN~1.GD~\LOCALS~1\Temp\catchme.sys pIofCallDriver


---- Kernel code sections - GMER 1.0.15 ----


? C:\DOCUME~1\KUNDAN~1.GD~\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

? C:\DOCUME~1\KUNDAN~1.GD~\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !


---- User code sections - GMER 1.0.15 ----


.text C:\WINDOWS\System32\svchost.exe[848] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 01899DB4

.text C:\WINDOWS\System32\svchost.exe[848] NETAPI32.dll!NetpwPathCanonicalize 5B86A259 5 Bytes JMP 01899D54

.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 00809DB4


---- Modules - GMER 1.0.15 ----


Module (noname) (*** hidden *** ) 00400000-00400000 (0 bytes) ---- Services - GMER 1.0.15 ----


Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] wkdfkpmp <-- ROOTKIT !!!


---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp@DisplayName Center Microsoft

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp@Type 32

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp@Start 2

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp@ObjectName LocalSystem

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp\Parameters

Reg HKLM\SYSTEM\CurrentControlSet\Services\wkdfkpmp\Parameters@ServiceDll C:\WINDOWS\system32\yhcwi.dll

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp@DisplayName Center Microsoft

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp@Type 32

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp@Start 2

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp@ObjectName LocalSystem

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp\Parameters (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\wkdfkpmp\Parameters@ServiceDll C:\WINDOWS\system32\yhcwi.dll


---- EOF - GMER 1.0.15 ----

[Shrinivas]

Hi,

Kindly make sure you have patched your system with "Microsoft Critical patches".
You can do that from eScan Protection Center->Tools->Download latest hotfix (Microsoft Windows OS)

Once you are done with this ,do run mwavscan.com /kill parameter from command line at eScan folder and provide us the pinfect.zip file to samples@mwti.net so that we can check for new infection.