tnorman
asked on
Possible root kit found. Spysweep, blacklight and Rootkit revealer don't agree.
A lot of information to post here
I am working on a WinXP Home PC. The main problem was that the computer functions normally, except for the odd occasion (once or twice per session) that the CPU utilization goes to 100%, and the spysweeper process is the culprit.
- Webroot spy sweeper detected two files as 'possible masked root kits'. The files were components of a game that was removed previously. When I go to the folder where the files are stored, I get an error '...not accessible' and then the message 'Not enough storage is available to process this command'. I can rename the folder where the files are stored, but after clicking on the folder to view the files inside, I get the same error message. Attempts to delete 'higher up' return the message 'folder not empty.'
C:\PROGRAM FILES\ATARI\ROLLERCOASTER\ CARS\ELEVA TOR\
When I click on 'Elevator', I get the error message.
I can rename Elevator (or even CARS or ATARI).
If I click on Atari and go 'Delete', it tells me that 'Elevator' is not empty.
- I can reboot in Safe Mode, Command line only and still get the same results when trying to view/access this folder or attempting to do a Delete *.* command in the folder.
- SysInternals RootKitRevealer returned the results of 25792 discrepancies found. Along with the two files that exist in the above mentioned directory, there is a mash of files like Adobe reader and all it's support files, hundreds of files from Windows, windows\fonts, windows\inf and Windows\System32. Thousands of files from c:\Program Files\Common files. Thousands of files in the _restore folder. Thousands from c:\program files.
- FProt's Blacklight did not find anything suspicious.
- I have tried downloading some third party file managers to erase the two trouble files listed at the start, and no go. Always get the 'Not enough storage is available' error.
- Next stop is a rebuild, but I wanted thoughts first.
Thanks,
TN
(PS If you think there is another forum where this should be posted, please let me know)
I am working on a WinXP Home PC. The main problem was that the computer functions normally, except for the odd occasion (once or twice per session) that the CPU utilization goes to 100%, and the spysweeper process is the culprit.
- Webroot spy sweeper detected two files as 'possible masked root kits'. The files were components of a game that was removed previously. When I go to the folder where the files are stored, I get an error '...not accessible' and then the message 'Not enough storage is available to process this command'. I can rename the folder where the files are stored, but after clicking on the folder to view the files inside, I get the same error message. Attempts to delete 'higher up' return the message 'folder not empty.'
C:\PROGRAM FILES\ATARI\ROLLERCOASTER\
When I click on 'Elevator', I get the error message.
I can rename Elevator (or even CARS or ATARI).
If I click on Atari and go 'Delete', it tells me that 'Elevator' is not empty.
- I can reboot in Safe Mode, Command line only and still get the same results when trying to view/access this folder or attempting to do a Delete *.* command in the folder.
- SysInternals RootKitRevealer returned the results of 25792 discrepancies found. Along with the two files that exist in the above mentioned directory, there is a mash of files like Adobe reader and all it's support files, hundreds of files from Windows, windows\fonts, windows\inf and Windows\System32. Thousands of files from c:\Program Files\Common files. Thousands of files in the _restore folder. Thousands from c:\program files.
- FProt's Blacklight did not find anything suspicious.
- I have tried downloading some third party file managers to erase the two trouble files listed at the start, and no go. Always get the 'Not enough storage is available' error.
- Next stop is a rebuild, but I wanted thoughts first.
Thanks,
TN
(PS If you think there is another forum where this should be posted, please let me know)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
However...
It seems sometimes that the simplest solution was the easiest one. It turns out, after several HD checks, that there was corruption on the HD, specifically where those two files were.
So that, combined with the 'threat' of a possible root-kit, I just replaced the HD and rebuilt.
Again, thanks for your input on this.
TN