Possible root kit found. Spysweep, blacklight and Rootkit revealer don't agree.
Posted on 2006-05-27
A lot of information to post here
I am working on a WinXP Home PC. The main problem was that the computer functions normally, except for the odd occasion (once or twice per session) that the CPU utilization goes to 100%, and the spysweeper process is the culprit.
- Webroot spy sweeper detected two files as 'possible masked root kits'. The files were components of a game that was removed previously. When I go to the folder where the files are stored, I get an error '...not accessible' and then the message 'Not enough storage is available to process this command'. I can rename the folder where the files are stored, but after clicking on the folder to view the files inside, I get the same error message. Attempts to delete 'higher up' return the message 'folder not empty.'
When I click on 'Elevator', I get the error message.
I can rename Elevator (or even CARS or ATARI).
If I click on Atari and go 'Delete', it tells me that 'Elevator' is not empty.
- I can reboot in Safe Mode, Command line only and still get the same results when trying to view/access this folder or attempting to do a Delete *.* command in the folder.
- SysInternals RootKitRevealer returned the results of 25792 discrepancies found. Along with the two files that exist in the above mentioned directory, there is a mash of files like Adobe reader and all it's support files, hundreds of files from Windows, windows\fonts, windows\inf and Windows\System32. Thousands of files from c:\Program Files\Common files. Thousands of files in the _restore folder. Thousands from c:\program files.
- FProt's Blacklight did not find anything suspicious.
- I have tried downloading some third party file managers to erase the two trouble files listed at the start, and no go. Always get the 'Not enough storage is available' error.
- Next stop is a rebuild, but I wanted thoughts first.
(PS If you think there is another forum where this should be posted, please let me know)