Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 396
  • Last Modified:

Possible root kit found. Spysweep, blacklight and Rootkit revealer don't agree.

A lot of information to post here

I am working on a WinXP Home PC.  The main problem was that the computer functions normally, except for the odd occasion (once or twice per session) that the CPU utilization goes to 100%, and the spysweeper process is the culprit.

- Webroot spy sweeper detected two files as 'possible masked root kits'.  The files were components of a game that was removed previously.  When I go to the folder where the files are stored, I get an error '...not accessible' and then the message 'Not enough storage is available to process this command'.  I can rename the folder where the files are stored, but after clicking on the folder to view the files inside, I get the same error message.  Attempts to delete 'higher up' return the message 'folder not empty.'
When I click on 'Elevator', I get the error message.
I can rename Elevator (or even CARS or ATARI).
If I click on Atari and go 'Delete', it tells me that 'Elevator' is not empty.

- I can reboot in Safe Mode, Command line only and still get the same results when trying to view/access this folder or attempting to do a Delete *.* command in the folder.

- SysInternals RootKitRevealer returned the results of 25792 discrepancies found.  Along with the two files that exist in the above mentioned directory, there is a mash of files like Adobe reader and all it's support files, hundreds of files from Windows, windows\fonts, windows\inf and Windows\System32.  Thousands of files from c:\Program Files\Common files.  Thousands of files in the _restore folder.  Thousands from c:\program files.

- FProt's Blacklight did not find anything suspicious.

- I have tried downloading some third party file managers to erase the two trouble files listed at the start, and no go.  Always get the 'Not enough storage is available' error.

- Next stop is a rebuild, but I wanted thoughts first.



(PS If you think there is another forum where this should be posted, please let me know)
2 Solutions
When runnning Rootkit Revealer you need to have an idle pc so the result is not polluted with legit entries (like the mentioned thousands of discrepancies)

If you want to delete the folder, try using Killbox.
Download Pocket Killbox.
*Select the "Delete on Reboot" option.

I have had similar problems removing Spyware/Viruses/Rootkits.  

Are there registry entries associated with these files?  Can you remove the registry entries in Safe Mode?  Have you determined what is keeping these files running?

If the file system is NTFS, I would boot using NTFS Pro (or similar) to delete the files.  This has worked for me in the past.  
tnormanAuthor Commented:
Thanks everyone for their help on this one.  Something was definitely 'off' here, with the 27000 entries being logged.  There were no corresponding (or any, actually) registry entries.  I can't believe that they were all in use, as that would be impossible to have that many files running at the same time (and the computer still functioning 99% normally).


It seems sometimes that the simplest solution was the easiest one.  It turns out, after several HD checks, that there was corruption on the HD, specifically where those two files were.

So that, combined with the 'threat' of a possible root-kit, I just replaced the HD and rebuilt.

Again, thanks for your input on this.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now