http://www.dslreports.com/forum/Re-Possible-rootkit-20111138 en Thu, 24 Mar 2022 20:13:00 EDT Thu, 24 Mar 2022 20:13:00 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20147678
Further examination of your recent log looks like you may have embedded-nulls in your registry. They're not a bad thing, they're just undeletable by RegEdit. Wouldn't surprise me if GMER couldn't delete them.

If you want to delete them, that's entirely up to you. It may or may not break something.

If you want to scan for embedded-nulls for the hell of it, download regdelnull from »technet.microsoft.com/en ··· 448.aspx
--
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20147678 Tue, 11 Mar 2008 16:44:05 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20146209
Autoruns displays shell extensions appearing in the registy key

Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

It appears that the "Approved" restriction is only enforced if a certain Group Policy is set Using another tool I found 3 non-Microsoft shell extensions (ones that I use often) that are not listed by Autoruns since they're not in the "Approved" subkey (in either HKLM or HKCU.)

This also means that the method Autoruns uses to disable shell extensions by removing them from the "Approved" subkey doesn't actually disable them. I've verified this.
*******************************
Only allow approved Shell extensions
User Configuration\Administrative Templates\Windows Components\Windows Explorer

Description
Directs Windows to start only the user interface extensions that the system security or the user have approved.

When the system detects that the user is downloading an external program that runs as part of the Windows user interface, the system searches for a digital certificate or requests that the user approve the action. If you enable this policy, Windows only starts approved programs.

This policy is designed to protect the system from damage from programs that do not operate correctly or are intended to cause harm.

Tip

To view the approved user interface extensions for a system, start a registry editor (Regedt32 or Regedit). The system stores entries representing approved user interface extensions on a system in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.

http://msdn2.microsoft.com/en-us/library/ms812054.aspx

**************************************

Now it is not possible for me to understand from what you have posted to date..just how you as a USER have your OS configured..especially when it comes to the Windows Firewall, Autoupdate, or other things in your Security Center, Muchless your OneCare. All of which are Microsoft approved thingies.

But those entires seem to all come down to user congfiration changes you might have made.

So people have suggested that if you want to track those entries down including the ones in that WEB FOLDER you do the following to see if it changes.

Turn on the SP2 firewall

* Disable or uncheck remote assistance & remote desktop in firewall advance setting

The theory is this...

Machines that are affected:

* These machines had auto-updates switched off

* Most have the firewall disabled.

* These errors more frequently in the daytime.

Solution

Enable your firewalls

Re-enable autoupdates. It's that easy.
Most people have it off, in hope of bypassing Microsofts recent anti-piracy move.

As for your ONECARE it requires certain two things turned on to work effectively.
Automatic Updates and Background Intelligent Transfer Service (BITS). The services can be switched off manually using the Windows services.msc utility. Normally, once disabled, they remain that way until the user manually turns them back on.

And that is then the problem and could be the reason for those entires that you see. You have ONECARE..it is trying to do it's job.but is crippled.

You can read more about it here....

Microsoft OneCare Silently Changes Automatic Updates
Root of recent Windows Updates woes? Microsoft's OneCare security tool changes Automatic Update settings as it installs.

http://www.pcworld.com/article/id,138939/article.html
--
Gladiator Security Forum http://www.gladiator-antivirus.com/
Missing Kids
http://www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20146209 Tue, 11 Mar 2008 12:26:51 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20145328 Windows\CurrentVersion\Shell Extensions\Approved\{26910156-F8C6-3BCF-B410-E8F60C33D564} as it was an endless registry entry which made my advanced windows onecare hang on the registry scan and keep on scanning that entry. Whoever said that NIAP rootkit tools is bad is wrong! i had to use NIAP rootkit tool to delete the registry entry because gmer and nothing else could delete it. I wonder: Is it safe?]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20145328 Tue, 11 Mar 2008 09:41:28 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20141103 said by cdavfrew :

Thanks for all your help Name Game. I would still like to ask if Vista becomes the new hot operating system, than will virus writers switch to designing malware for Vista and leave XP behind as a safe operating system? I mean, no one writes any malware for Windows 2000 anymore, do they?
Any piece of malware that runs on XP, will also run on 2000. Most will also run on 98 and Vista.
--
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20141103 Mon, 10 Mar 2008 15:06:21 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20139249
I still use Windows for other things.]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20139249 Mon, 10 Mar 2008 08:48:24 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20139111 http://www.dslreports.com/forum/Re-Possible-rootkit-20139111 Mon, 10 Mar 2008 07:56:49 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20135122
Rootkits are about the last stronghold the bad boys out there can attempt to compromise NT type OS and it is the least understood by the user.

There is hope on the horizon. To paraphrase a wise Russian :D...

A new OS is better than security through obscurity. All these problems go away when the user can work from a truely restricted account. So your next purchase should be Windows Vista x64. It is the only system approach that can handle this NT madness we find out there. With it's fully restricted access to kernel mode part, new security model (with updated NTFS) and a fully isolated kernel with self-integrity control it will lead to the end of: personal firewalls, host intrusion prevention system, some antiviruses, sandboxes, and most of the utilities and executable packers.

It might still become a primary target for script-kiddies, malware writers etc.so it's bypassing will be a question of time. Windows already supports enough security model, but very few thrid party vendor or programmers use it. So their stuff on Vista will still be vulnerable.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20135122 Sun, 09 Mar 2008 11:46:59 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20134578 http://www.dslreports.com/forum/Re-Possible-rootkit-20134578 Sun, 09 Mar 2008 07:49:10 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20125223 »www.techsupportforum.com ··· ose.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20125223 Fri, 07 Mar 2008 11:30:13 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124945
Reg \Registry\USER\S-1-5-21-854245398-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EFB53EC6-C6D4-463D-048F-BFE428D3EDFA}@daahoanh 0x63 0x61 0x6F 0x70 ...
Reg \Registry\USER\S-1-5-21-854245398-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EFB53EC6-C6D4-463D-048F-BFE428D3EDFA}@fanglohilpjc 0x62 0x61 0x64 0x61 ...
Reg \Registry\USER\S-1-5-21-854245398-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EFB53EC6-C6D4-463D-048F-BFE428D3EDFA}@iakalpgmjkekhfhlnm 0x69 0x61 0x6E 0x70 ...
Reg \Registry\USER\S-1-5-21-854245398-1303643608-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EFB53EC6-C6D4-463D-048F-BFE428D3EDFA}@haiagiakjklhkilh 0x6A 0x61 0x6F 0x70 ...

and how an expert handled it see this thread..
post#46

»www.bleepingcomputer.com ··· -40.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124945 Fri, 07 Mar 2008 10:42:58 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124839 bcastner..who already posted in your thread and would be helping you there..I trust his ability and knowledge.
»/profi ··· e/693977
I also trust my brother-in-law Bob who just left for Guangzhou the other day..so if you are in China and close. :D He would sort it out for Ya too.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124839 Fri, 07 Mar 2008 10:21:18 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124777
I have rescanned my computer with Antivir rootkit scan, and it detected nothing, because after I exported the registry entry as shown in previous posts, the registry entry changed to be disguised as something legitimate while having a deeper binary entry.

Here is my Gmer log:

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-07 23:05:37
Windows 5.1.2600 Service Pack 2

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x74 0xED 0xF2 0x38 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{879205d9-654a-4049-9120-bae47b054b4f}@Model 182
Reg HKLM\SOFTWARE\Classes\CLSID\{879205d9-654a-4049-9120-bae47b054b4f}@Therad 21
Reg HKLM\SOFTWARE\Classes\CLSID\{879205d9-654a-4049-9120-bae47b054b4f}@MData 0xCB 0x9B 0xAD 0xEF ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Usage@HandWritingFiles 946301515
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x74 0xED 0xF2 0x38 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{879205d9-654a-4049-9120-bae47b054b4f}@Model 182
Reg HKLM\SOFTWARE\Classes\CLSID\{879205d9-654a-4049-9120-bae47b054b4f}@Therad 21
Reg HKLM\SOFTWARE\Classes\CLSID\{879205d9-654a-4049-9120-bae47b054b4f}@MData 0xCB 0x9B 0xAD 0xEF ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\@hakolggmepoiffaa 0x61 0x62 0x70 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\@hakolggmjpfjfabo 0x70 0x62 0x70 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@Í\x2039í\x2039T\x20acó` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@Í\x2039í\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@\20\x90\20nÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@\26Y\1xÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@Òczz 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@FC Input 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@FC aid 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@GB/GBK 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@Í\x2039í\x2039T\x20acó` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@Í\x2039í\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\20\x90\20nÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\26Y\1xÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@Òczz 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@FC Input 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@FC aid 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@GB/GBK 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\26\1xågâ\x2039 -536803324
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\26\1xågâ\x2039\1x\x2022 12
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@Í\x2039í\x2039T\x20acó` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@Í\x2039í\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@\20\x90\20nÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@\26Y\1xÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@Òczz 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@FC Input 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@FC aid 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@GB/GBK 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\@hakolggmepoiffaa 0x61 0x62 0x70 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\@hakolggmjpfjfabo 0x70 0x62 0x70 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@Í\x2039í\x2039T\x20acó` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@Í\x2039í\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@\20\x90\20nÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@\26Y\1xÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@Òczz 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@FC Input 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@FC aid 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\hQüb@GB/GBK 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@Í\x2039í\x2039T\x20acó` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@Í\x2039í\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\20\x90\20nÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\26Y\1xÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@Òczz 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@FC Input 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@FC aid 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@GB/GBK 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\26\1xågâ\x2039 -536803324
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ÌSüb@\26\1xågâ\x2039\1x\x2022 12
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@Í\x2039í\x2039T\x20acó` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@Í\x2039í\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@\20\x90\20nÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@\26Y\1xÐc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@Òczz 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@FC Input 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@FC aid 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ѐ
x@GB/GBK 0

---- EOF - GMER 1.0.14 ----]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124777 Fri, 07 Mar 2008 10:11:04 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124604
You were offered to post a hijackthis log here at DSLR forum. You have not done this yet..
»Security Cleanup

please do..because they have other tools they can use..besides just the highthis thingie..and they can FIND real rootkits..trust me..post the highthis log is just the first step. ;)

We don't call him kill bill for nothing . :D He will make your 'rootkit' Bride wake up after a long coma..if one is really there.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124604 Fri, 07 Mar 2008 09:30:40 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124524
I was wondering that if rootkit processes are stopped, shouldn't the hidden registry entries be unhidden as well? Well, I have no hidden processes, so does that mean that something else other than a hidden process is hiding the registry entries? So does that mean that I do not have a rootkit, but a legitimate software instead is creating the hidden registry entries?]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124524 Fri, 07 Mar 2008 09:10:45 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124513
»forum.avira.com/thread.p ··· id=34344

Question for you..did you check your PC to find out if you had that "rootkit" info because the other person posted..or had you previoulsy found it before he posted by coincidence ?

Because in that thread a member named

gitwed
Gesperrter Nutzer

Registration Date: 02.03.2008
Posts: 5
Version: AntiVir PE Classic

Posted this log info on his scan.

AntiVir PersonalEdition Classic
Report file date: Sunday, March 02, 2008 14:35

Scanning for 1129035 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: samlim
Computer name: PERSONAL-DDDC93

So my qestion is..are you both gitwed and cdavfrew at that forum ????

»forum.avira.com/thread.p ··· d=312890
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124513 Fri, 07 Mar 2008 09:07:08 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124349
BTW..I assume you have already run a reg cleaner..I would suggest RegSeeker by Hover Inc. Set it to clean the registry including the .exe..and see if it comes up with old stuff you can clean up including the things you are worried about. You will have a choice before cleaning them so it will not mess up your PC.

»www.hoverdesk.net/freeware.htm]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124349 Fri, 07 Mar 2008 08:02:43 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124336 I set my scan to a rootkit scan, so I didn't really have a choice. I have posted my problem on the Avira forum, but have recieved slow and little support. The reason why I don't format my computer is because, well, I don't like it. It takes way too much trouble if I only suspect a rootkit and not determine it. Yes, I am not a government officer or anything seriously important so I don't really care if people steal my information, only that I feel that it is a violation of my privacy and I don't like the idea of being infected. Besides, these hidden objects are not false positives because both gmer and niap detects the registry entries as hidden, and really, there is no false positive in rootkit scan.

And no, I do not have an X-box]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124336 Fri, 07 Mar 2008 07:55:33 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124294 And have you contacted the Antivir folks with the info you found and got their opinion on whether it is a FP. That is the first place I would have gone.

When you did scan..did you have an option for these items to be off or on ?

Scan master boot sector..........: on
Scan boot sector.................: on
Scan memory......................: off
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on

I see this was set for on

Macro heuristic..................: on
File heuristic...................: high

BTW..do you have an X-box :D if so I know the reason then you might have FP's.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124294 Fri, 07 Mar 2008 07:40:11 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20124207
Should I use the in-built protection and monitoring program in Gmer? Is it good? Or is there another low-resource alternative?]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20124207 Fri, 07 Mar 2008 06:57:48 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20120562
Rootkits are becoming more complex, and removing them will become more difficult. The time will come to draw a line between removal and rebuild. I personally recommend rebuilding systems that are rootkited in lieu of removing the rootkit for various reasons.

1. What changes has the rootkit made to your system? even after you have removed the rootkit, there is no guratee that a backdoor of some sort is still not open on your system somewhere. Even if you take a month throughly go though the system and evaluate it from an It Professional standpoint there is no "guarantee" certain system changes will be reverted, or that you could even find the changes it has made all over your system. It is more cost effective to rebuild they system, or reimage it with a known clean backup.

This is the reason that I will rebuild a system, fully patch it behind a SPI Hardware Firewall(router) and then install Security software, then create a Image of the Drive with Acronis or what not on removable meida such as Dvd-R's....that way if the system is indeed rooted, i can format it, and reimage the drive from a known clean backup.

You can never be too sure in terms of security, make no mistake some rootkits make changes to your OP system that you may never find. Im not saying it is impossible to find these changes and fix them, im just saying its not cost effective to do so. Your greatest weapon against a rootkit is a known clean image, a backup on removable media that can't be tampered with.

Practicing Principle of Least Privedge(Limted user accounts, not admin accounts)

Using Hardware Based DEP on everything

Disabling Launching Programs and files in a iframe on your browser of choice

1 HIPS program

1 anti-virus, 1 antispyware, and 1 anti-trojan is really about all you can do.

The known clean image is your way of fighting back against these types of infections. Virtual machines are starting to get bypassed, just like eveyrhting else, nothing is a cure all.

I am a firm beliver that becareful of executing arbitrary code will go a long way in keep this garbage off your system. I never install or run anything im not 100% sure it is not malicious and even then, i doube check.

If i hear about a new piece of software, i research it 1st. I spend atleast a week finding out everything i can about these files, md5 has, sha1, comparing it to know results, using virus total and jotti to check them out, research, research, research. I then have a machine that has nothing but a virtual machine on it that i can flaten and restore anytime with debugging software on it that after my resarch i will test the application, install it, find out what reg keys it makes, what services it installs, where the files in question are installed, and i read the eula to a tee

Just researching things before you install i belive will go a long way to keeping your machine safe from things.

Now granted there are some sistes that have been hacked and will try to exploit you, but as long as you keep your system patched you should be ok as long as you don't fall for social engineering tactics.

But IMO its just not cost effective to remove rootkits anymore, just make a known clean backup of a fully patched system, and if the need ever arises, just restore it. its is my opinion that a router is almost the most important part of a person's security. If your primary firewall is on your pc, it is in the wrong place.

good day, and good luck to ya]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20120562 Thu, 06 Mar 2008 15:18:00 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20119331 --
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20119331 Thu, 06 Mar 2008 12:31:29 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20117831 Icesword. Here's a guide to it and a link to the latest version (1.22):

»www.castlecops.com/t1652 ··· ted.html

Good luck.]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20117831 Thu, 06 Mar 2008 07:07:53 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20117508 http://www.dslreports.com/forum/Re-Possible-rootkit-20117508 Thu, 06 Mar 2008 03:02:19 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20117079 serious malware ass. Each has a different collection of experiences as do we all, and will naturally have a different take on things from time to time. That is not such a deep concept is it ? Can't we just have a couple of six packs together and relax ? Pissing contests are for firemen.The OP has enough ammo to get himself going on the problem.]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20117079 Thu, 06 Mar 2008 00:08:19 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20117012
I helped the OP. I suggested a GMER scan.

As for Bill, I honestly don't care if he's an MS MVP or not. He didn't seem to know what he was talking about.

I think I've seen enough ARK logs to know when someone's infected or not. As for considering myself an authority, I'd go so far as to say I'm knowledgeable on the subject of rootkits (while being modest). I'm quite familiar with a good number of infections, and how they work. I might even have a few friends in the scene.

When I eventually write a rookit, I'll be sure to include a friendly shoutout to Bill via dbgprint.
--
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20117012 Wed, 05 Mar 2008 23:52:50 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20116879 said by Elite:

Regardless, I still think he's very ill-informed and that rootkits aren't his place.


I have yet to see anything you have posted that is either helpful to the OP or any proof of any of bcastner 's information being erroneous.

I'd also be interested in how one becomes the authority to determine what Bill's "place" is. The hey mod button is yours to use if you feel he's out of his "place".

To the OP,

I concur that going to the cleanup forum and going through the process will yield you more thorough and accurate analysis and resolution of any problems or false positives that may be uncovered. I suspect that bcastner will be there to help :)
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20116879 Wed, 05 Mar 2008 23:24:06 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20116877
»Security Cleanup]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20116877 Wed, 05 Mar 2008 23:23:57 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20116412 http://www.dslreports.com/forum/Re-Possible-rootkit-20116412 Wed, 05 Mar 2008 22:03:36 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112737 In any case, your earlier comment was OT as far as I am concerned. as La Luna reminded, the issue is helping the OP, not guesses as to how informed Bill Castner is about rootkits.]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112737 Wed, 05 Mar 2008 12:20:19 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112673
I also said your average usermode rootkit isn't that complex, but he went out of his way to post about the most obnoxious usermode rootkit he could find. I suggested one of my favorite kernel mode examples.

Regardless, I still think he's very ill-informed and that rootkits aren't his place.
--
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112673 Wed, 05 Mar 2008 12:11:19 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112632 said by Elite:

That's a crappy rootkit, using dirty tricks.

So his example is, in your opinion, a "crappy rootkit". And?

It still is an example of the point he was making. Or are we only talking about "non crappy rootkits"? :hmm:

Anyway, arguing over crappy vs non crappy rootkits doesn't help the OP. He still needs to investigate further using more tools and possibly posting in the Cleanup forum.
--
10,675 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112632 Wed, 05 Mar 2008 12:06:01 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112588 said by bcastner:

Its crappy because it shows your earlier comment ill-informed?
Aren't you familiar with the "incovenient truth" theory?
If the truth goes aginst what you just say then debunk it, call it names and then twist it to your favour. :)]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112588 Wed, 05 Mar 2008 12:00:59 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112540 http://www.dslreports.com/forum/Re-Possible-rootkit-20112540 Wed, 05 Mar 2008 11:54:33 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112511
I suggest you go read up about Rustock.B variant.
--
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112511 Wed, 05 Mar 2008 11:51:25 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112499 Are you suggesting that rookited infections never use a loader?
Are you suggesting that they always have "hidden system driver, hidden registry entry (usually a service or two for driver and process), and hidden files (driver and executable)"?

Do not take my comment above as a treatise on rootkits. But yes, many do in fact use an intermediate loader. Not all.

Lets take a very common one at the moment, the Autorun infection KAVO:

When kavo.exe is executed, it drops 4z5zdceq.dll in the %Temp% folder. The dll name is different for each version of the malware. 4z5zdceq.dll is detected as Trojan-PSW.Win32.OnLineGames.nnt.
kavo.exe loads the dll and writes h7.sys to the %Temp% folder. Driver name is random.
h7.sys is loaded by the System Process.

kavo.exe deletes h7.sys.
kavo.exe launches a hidden iexplore.exe process and writes to its virtual memory.
Internet Explorer loads %Temp%\4z5zdceq.dll.

kavo.exe copies itself to %system%\kavo.exe.
kavo.exe drops kavo0.dll into system32 folder.
In meanwhile, Internet Explorer writes wincab.sys to the system32 folder.

The System Process loads wincab.sys

Internet Explorer markes wincab.sys for deletion.

A new thread is created by explorer.exe in order to load %system%\kavo0.dll

Explorer creates a new hidden Internet Explorer process and zz.rar is downloaded from internet. This file tells if an update is available.
If an update is available, zz.exe is downloaded from the web and both files are copied into the %Temp% folder. Files may have another name, they are different for each update.
In meanwhile, explorer.exe copies %system%\kavo.exe to c:\g2p3s.exe (different filename for each version) and creates the c:\autorun.inf file. If any removable drives are present, those files are also copied to the root folder. This method ensures that the malware will propagate on another computer if the flash drive is plugged in.
If an update was available, it's installed using the same method as described in point 1 to 12.
When the update tries to overwrite %system%\kavo0.dll, a sharing violation is triggered. The file is then dropped as kavo1.dll. That is why you will see both files present most of the time.
Our driver only does exist in memory, wincab.sys is not present on the HDD when you shut down the computer. You can easily check this by booting to the Recovery Console. When performing a dir command, the file is not present.
Since kavo.exe is set to run each time windows starts, the rootkit will be reinstalled every time you restart / boot up the PC.
The files are very difficult to delete, partially due to the presence of the rootkit but also because the infection checks every 30 seconds if %system%\kavo.exe, c:\g2p3s.exe and c:\autorun.inf are still present. If not, they are re-created.

From Kimberly's notes on KAVO: »www.bluetack.co.uk/forum ··· ic=18228
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112499 Wed, 05 Mar 2008 11:49:25 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112485 said by Elite:

bcastner , you are somewhat ill-informed about how rootkits function. I suspect that is not the case...
--
da Cajun

Darn I hate Malware]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112485 Wed, 05 Mar 2008 11:47:08 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112454
AntiVir has decent rootkit detection. I'd say it could detect just about everything ITW except MBRKit.

The fact that he's got two hidden CLSIDs, but no hidden drivers, processes, or files, tells me it's probably an FP on AntiVir's side.

If he's really paranoid, he can download GMER and do a scan.
--
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112454 Wed, 05 Mar 2008 11:43:41 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112373 said by Elite:

You have no rootkits.
because.....?

Cudni]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112373 Wed, 05 Mar 2008 11:31:47 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20112345
bcastner , you are somewhat ill-informed about how rootkits function. Average usermode rootkit has a hidden process, hidden system driver, hidden registry entry (usually a service or two for driver and process), and hidden files (driver and executable). There are no loaders involved.
--
QUAD!!!!]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20112345 Wed, 05 Mar 2008 11:27:22 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20111851 www.microsoft.com/techne ··· mfr=true

The first is suspicious. But registry traces are not the rootkit. As to can they change, well, yes they can and usually do. The process for a rootkit is typically to have one loader, which creates a randomly named entry. The randomly named entry creates the hook in a userland process such as Winlogon. It then deletes the second file. The final active rootkit thread will have a random name.

Follow the advice of La Luna .
Your are going to get nowhere with a rootkit by attempting to modify the registry for its traces. This is made more likely since you are using a rootkit revealer type of utility. For all we know what you are seeeing is the trace evidence of this very same utility. Rootkit utilities have to randomly name their own internals, as otherwise rootkit authors could easily target them so as to more effectively hide. So they employ the same tricks and tactics as do the rootkit authors themselves.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20111851 Wed, 05 Mar 2008 10:03:39 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20111820
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20111820 Wed, 05 Mar 2008 09:58:22 EDT http://www.dslreports.com/forum/Re-Possible-rootkit-20111506
Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-1715567821-884357618-839522115-1004\Software\Microsoft
\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"

[HKEY_USERS\S-1-5-21-1715567821-884357618-839522115-1004\Software\Microsoft
\Windows\CurrentVersion\Shell Extensions\Approved\]
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"

[HKEY_USERS\S-1-5-21-1715567821-884357618-839522115-1004\Software\Microsoft
\Windows\CurrentVersion\Shell Extensions\Approved\\]
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"

[HKEY_USERS\S-1-5-21-1715567821-884357618-839522115-1004\Software\Microsoft
\Windows\CurrentVersion\Shell Extensions\Approved\\\]
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"

[HKEY_USERS\S-1-5-21-1715567821-884357618-839522115-1004\Software\Microsoft
\Windows\CurrentVersion\Shell Extensions\Approved\\\\]
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"

and on and on and on...

Is this a rootkit? It seems to be a very smart one? But how could it have changed? There are no hidden processes running or hidden files on my computer; I checked.

Hope to solve it soon
Bob]]> http://www.dslreports.com/forum/Re-Possible-rootkit-20111506 Wed, 05 Mar 2008 08:34:31 EDT http://www.dslreports.com/forum/Possible-rootkit-20111138
Here is my log:

AntiVir PersonalEdition Classic
Report file date: Sunday, March 02, 2008 14:35

Scanning for 1129035 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: samlim
Computer name: PERSONAL-DDDC93

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 06:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 05:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 08:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 05:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 07:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 06:43:52
ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 2/24/2008 09:35:40
ANTIVIR3.VDF : 7.0.2.215 117248 Bytes 2/29/2008 05:35:01
AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 3/2/2008 05:35:01
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 03:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 00:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 06:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 1/16/2008 10:40:55
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 00:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 05:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 00:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 04:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 05:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 05:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 02:37:21

Configuration settings for the scan:
Jobname..........................: Rootkit search
Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\rootkit.avp
Logging..........................: high
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Scan memory......................: off
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: high
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,
Expanded search settings.........: 0x00300922

Start of the scan: Sunday, March 02, 2008 14:35

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-1715567821-884357618-839522115-1004\Software\Microsoft\
Windows\CurrentVersion\Shell Extensions\Approved\{26910156-F8C6-3BCF-B410-E8F60C33D564}\hakolggmepoiffaa

[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1715567821-884357618-839522115-1004\Software\Microsoft\
Windows\CurrentVersion\Shell Extensions\Approved\{26910156-F8C6-3BCF-B410-E8F60C33D564}\hakolggmjpfjfabo

[NOTE] The registry entry is invisible.
'601417' objects were checked, '2' hidden objects were found.

End of the scan: Sunday, March 02, 2008 14:40
Used time: 05:05 min

The scan has been done completely.

0 Scanning directories
0 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
0 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes
601417 Objects were scanned with rootkit scan
2 Hidden objects were found]]> http://www.dslreports.com/forum/Possible-rootkit-20111138 Wed, 05 Mar 2008 04:09:59 EDT