Hi again,
I'd like to add some details.
First the attachment is the apihooks plugin output log and second:

# vol idt | grep UNKNOWN

Volatility Foundation Volatility Framework 2.3.1
     0      2       0x58 0x00000000 UNKNOWN                         
     0      8       0x50 0x00000000 UNKNOWN                         
     0     20        0x8 0x00000000 UNKNOWN                         
     0     21        0x8 0x00000000 UNKNOWN                         
     0     22        0x8 0x00000000 UNKNOWN                         
     0     23        0x8 0x00000000 UNKNOWN                         
     0     24        0x8 0x00000000 UNKNOWN                         
     0     25        0x8 0x00000000 UNKNOWN                         
     0     26        0x8 0x00000000 UNKNOWN                         
     0     27        0x8 0x00000000 UNKNOWN                         
     0     28        0x8 0x00000000 UNKNOWN                         
     0     29        0x8 0x00000000 UNKNOWN                         
     0     51        0x8 0x89af9bec UNKNOWN                         
     0     52        0x8 0x89b25044 UNKNOWN                         
     0     72        0x8 0x89f32bec UNKNOWN                         
     0     93        0x8 0x89c0f8bc UNKNOWN                         
     0     A2        0x8 0x89b01044 UNKNOWN                         
     0     A3        0x8 0x89f3fbec UNKNOWN                         
     0     B1        0x8 0x89f688bc UNKNOWN                         
     0     B3        0x8 0x89b262fc UNKNOWN                         
     1      2       0x58 0x00000000 UNKNOWN                         
     1      8       0x50 0x00000000 UNKNOWN                         
     1     20        0x8 0x00000000 UNKNOWN                         
     1     21        0x8 0x00000000 UNKNOWN                         
     1     22        0x8 0x00000000 UNKNOWN                         
     1     23        0x8 0x00000000 UNKNOWN                         
     1     24        0x8 0x00000000 UNKNOWN                         
     1     25        0x8 0x00000000 UNKNOWN                         
     1     26        0x8 0x00000000 UNKNOWN                         
     1     27        0x8 0x00000000 UNKNOWN                         
     1     28        0x8 0x00000000 UNKNOWN                         
     1     29        0x8 0x00000000 UNKNOWN                         
     1     51        0x8 0x89af9e54 UNKNOWN                         
     1     52        0x8 0x89b252ac UNKNOWN                         
     1     72        0x8 0x89f32e54 UNKNOWN                         
     1     93        0x8 0x89c0fb24 UNKNOWN                         
     1     A2        0x8 0x89b012ac UNKNOWN                         
     1     A3        0x8 0x89f3fe54 UNKNOWN                         
     1     B1        0x8 0x89f68b24 UNKNOWN                         
     1     B3        0x8 0x89b26564 UNKNOWN                         

This should not be normal, right ?

Thank you



2014-04-04 20:28 GMT+00:00 mediomen27 <mediomen27@gmail.com>:
Hi Michael,
yes, the server has installed Kaspersky AV.
and here u can see that it should be kaspersky component:
http://www.shouldiblockit.com/klogon.dll-41922.aspx

I have tried to dump the dll but I have got the following error:
# vol dlldump -r klogon -D /root/dump/

Volatility Foundation Volatility Framework 2.3.1
Process(V) Name                 Module Base Module Name          Result
---------- -------------------- ----------- -------------------- ------
0x8967d158 winlogon.exe         0x010000000 klogon.dll           Error: DllBase is paged

Also, I have tried the following:
# vol dlldump -b 0x10000000 -D /root/dump/
and the dumped files are all *clean*.

and the follwoing looks clean:
# vol dlldump -r winlogon -D /root/dump/

Volatility Foundation Volatility Framework 2.3.1
Process(V) Name                 Module Base Module Name          Result
---------- -------------------- ----------- -------------------- ------
0x8967d158 winlogon.exe         0x001000000 winlogon.exe         OK: module.412.967d158.1000000.dll
0x88ea0918 winlogon.exe         0x001000000 winlogon.exe         OK: module.9088.8ea0918.1000000.dll

and here I have done (vol psscan |grep k):
0x090e2a98 adskflex.exe       4992   2200 0x434f3000 2013-10-04 17:33:14 UTC+0000
0x09463d88 klnagent.exe      12352    468 0x32385000 2013-06-26 00:01:15 UTC+0000   2013-06-26 09:15:42 UTC+0000
0x09b5bb08 klserver.exe      10004    460 0x677a3000 2013-10-24 00:01:19 UTC+0000
0x09bcdaf0 jucheck.exe         884   2596 0x660cb000 2013-02-08 18:01:52 UTC+0000   2013-02-08 18:09:58 UTC+0000
0x09d95d88 adskflex.exe       2448   2200 0x62e6f000 2013-06-26 09:16:31 UTC+0000   2013-10-04 17:33:10 UTC+0000

and the PIDs 10004,4992 are clean  (virustotal).
the 2448 is paged

and the pid 12352 cannot give me any dump with
$ vol procexedump -u -p 12352 -D /root/dump/

But maybe now I have found something:

# vol modules|grep -i pdf
0x8987a688 pdfsd.sys            0xb9770000    0x11000 \SystemRoot\system32\drivers\pdfsd.sys
# vol moddump -r pdf -D /root/dump/
Module Base Module Name          Result
----------- -------------------- ------
0x0b9770000 pdfsd.sys            OK: driver.b9770000.sys

# sha256sum /root/dump/driver.b9770000.sys
09fd121fd79ebbda9dcd8fe259d3e57028ef5e908250ab91d1371282611a3926  /root/dump/driver.b9770000.sys

https://www.virustotal.com/en/file/09fd121fd79ebbda9dcd8fe259d3e57028ef5e908250ab91d1371282611a3926/analysis/
virustotal says Trojan/Win32.Genome..

and now ?




2014-04-01 5:23 GMT+00:00 Michael Ligh <michael.ligh@mnin.org>:

What about the klogon.dll looks like Kaspersky? Is Kaspersky installed on the system? If you upload klogon.dll to VirusTotal, does it get any hits? I would do the same thing with the winlogon executables. I can’t see the names of the hooked API functions from your gmer screenshot, they’re truncated, so can’t give any advice there. You can run the apihooks plugin in Volatility and see where the hooks are pointing. 

HTH,
MHL

--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com

On Mar 29, 2014, at 7:19 PM, mediomen27 <mediomen27@gmail.com> wrote:

Hi,
gmer has found something of suspicious. I have a screenshot of partial logs, here:
http://postimg.org/image/bgx0u5xt9/
Now the server looks mysteriously clean thus the only clues I have are that screenshot and the vmware snapshot.
Anyone could help me to investigate more deeply ?
The following is what I have done alone:

# vol pslist|grep logon
Volatility Foundation Volatility Framework 2.3.1
0x8967d158 winlogon.exe            412    332     18      535      0      0 2013-06-26 09:16:14 UTC+0000                                
0x88ea0918 winlogon.exe           9088    332     19      258      1      0 2013-10-30 14:33:34 UTC+0000          
    
# vol dlllist -p 412|grep -i klogon
0x10000000    0x36000        0x1 C:\WINDOWS\system32\klogon.dll
klogon looks a kaspersky logon module

# vol dlldump -b 0x10000000 -D /root/dumpprocess/
and the dumped dll looks really something about kaspersky..

# vol filescan|grep VC80
Volatility Foundation Volatility Framework 2.3.1
0x08d295d8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x08e684f0      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x08f0b920      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0905a530      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x090822d0      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09175a90      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09181e50      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09496250      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09509cc8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09555808      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll
0x0958f860      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x095cd168      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x095f76a0      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x0960b668      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0961d9d8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0961e6c8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x096cda10      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x096f1db0      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x096f2d10      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x097c52d0      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x097fbb10      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09809e90      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09836350      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09843c68      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0985aa50      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09872738      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0987b340      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09a0fea8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09a3ada8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09a82f90      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09bf9ef8      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09d95428      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09dadd18      1      1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952



Thanks for any help.

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users