Solved

help with rootkit scan results

Posted on 2006-07-14
13
407 Views
Last Modified: 2013-12-04
I just ran a rootkit scan (twice, with the same results) and I need some guidance in interpreting the results.

Just FYI, I was not running anything else at the time of the scan, although there may have been background tasks running that normally start with windows (WIN 2K).

The underlying problem that led me to run the scan in the 1st place is that my machine randomly freezes up and has to be hard reset to get it going again.

The following is a "paste" of the san results. Any guidance would be greatly appreciated.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Driver2      7/10/2006 6:33 PM      3 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service2      7/10/2006 6:33 PM      7 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service3      7/10/2006 6:33 PM      5 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Motorola\PST\USBDriverVersionNumber      12/15/2005 1:50 PM      3 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Control\Motorola\PST\USBDriverVersionNumber      12/15/2005 1:50 PM      3 bytes      Data mismatch between Windows API and raw hive data.
0
Comment
Question by:shayeh
  • 4
  • 3
  • 3
  • +1
13 Comments
 
LVL 13

Expert Comment

by:Mark_FreeSoftware
ID: 17112386

which program did you use to check this? (i guess sysinternals ? )
0
 

Author Comment

by:shayeh
ID: 17112446
Thank you for your response.

The name of the program is    "rootkitRevealer.exe"

In the past when it ran (on a quiescent system), it returned zero messages. Now, it gave me the above listing, and, since I'm having a "freezing" problem, I wonder if there is a corresponding relationship.

Even if not, I wonder what these messages mean. I'm hoping that one of the more experienced hands here can give me some direction
0
 
LVL 13

Accepted Solution

by:
Mark_FreeSoftware earned 167 total points
ID: 17112542

>>The name of the program is
that's from sysinternals

try to download the newest version and run it again (they do a lot of fixes)
http://www.sysinternals.com/Utilities/RootkitRevealer.html


>>I wonder what these messages mean.
ok,
it is possible to view the registry with the windows api (eg RegQueryValueEx)
what the rootkit program does, is checking if the data returned with that,
is the same as what is on the harddisk


these messages tell you that the file has somthing different than the api call returns
this is most of the time caused by an incorrect string, or by an embedded Nullchar


your case looks a lot like this one:
http://www.geekstogo.com/forum/index.php?s=4ddd0ccea8b3c0245616b8da9bdf48e7&showtopic=61723&view=findpost&p=354630

do a full system scan with a virus scanner, and check back here (or you could follow directions on that forum if your computer is indeed infected with the same)


0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 167 total points
ID: 17112650
I don't see any rootkits there. A mismatch doesn't mean a present of any rootkits.
A rootkit would be something like an .exe or Device driver or hardware configuration file(sys) that is hidden from windows API.

When Rootkit Revealer starts it ask windows what is there and compared it with what is in the disc. Anything that windows didn't tell RKR at the start is hidden from windows API.
The mismatch in your case could mean that a registry value has changed during the scan.

What I am sure of is that, RKR did not find any rootkits.
The freezing could be caused by many things, have you eliminated malware/viruses as being the caused for freezing?

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.


0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 166 total points
ID: 17113324
I agree with the above, there is no rootkit here.

Post a HJT log as follows:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

The symptoms could also be due to other reasons, most commonly failing memory, disk or power supply, but it is best to rule out malware first.

Also, as a test, disconnect all external devices (usb, printer, network) for a while and see if the freeze-ups go away.

0
 

Author Comment

by:shayeh
ID: 17117397
Mark, rpggamergirl, and r-k,

Thank you all for your very informative and insightful comments. Unfortunately I am away for the weekend and will only be able to follow up on your suggestions once I get back to my office machine on Monday.

FYI, I had run various anti-spyware / anti-virus scanners (norton, zone alarm, acronis, xsoftspy) and they all gave me a clean bill of health (other than cookies of course).

Presently, I am leaning towards the "bad memory" hypothesis to explain the random freezes. One of the things I intend doing on Monday is to run the microsoft memory scanner to see about the health of my 1 gig of memory.

I will keep you informed of further progress on Monday.

Thanx
Shaye
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 32

Expert Comment

by:r-k
ID: 17117540
There are some good diagnostics on this bootable CD which you can download and make:

 http://www.ultimatebootcd.com/

Also, if you are handy with opening the computer, you can re-seat the memory, and also interchange the memory modules to see if that makes a difference.

When running memory tests, you may have to let them run for a couple of hours to detect subtle errors.
0
 

Author Comment

by:shayeh
ID: 17126393
OK,
Memory scan ran clean and everything passed on multiple iterations.

Oddly, machine is not freezing today. I'm re-assured that I am not harboring a root kit and I'm comfortable that I am not virus infected. I am leaning towards a thermal condition as an explanation for the freezes because the only active difference that I can point to is that I opened the case and blew out gobs of dust with my compressed air can.

Anyway, I appreciate all your input and I will shortly be splitting the points between the 3 of you (Mark, rpggamergirl, and r-k).

Thank you all and especially thank you to experts exchange for providing such an invaluable resource.
0
 
LVL 32

Expert Comment

by:r-k
ID: 17126410
Sounds good. Also check the small fan in back of the power supply to be sure it is spinning.
0
 
LVL 13

Expert Comment

by:Mark_FreeSoftware
ID: 17126573

>>Oddly, machine is not freezing today. I'm re-assured that I am not harboring a root kit and I'm comfortable that I am not virus infected. I am leaning towards a thermal >>condition as an explanation for the freezes because the only active difference that I can point to is that I opened the case and blew out gobs of dust with my compressed >>air can.

that is a very common issue of lockups

make sure the airflow is correct,

air should be sucked in at the bottom (front)
and blown out at the top (backside) of the case
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17126843
>>I'm re-assured that I am not harboring a root kit <<
We reassured you that Rootkit Revealer did not find a rootkit, but that does not guarantee that you have a "rootkit free" pc.
Some Rootkits targets Hijackthis, Rootkit Revealer, and Blacklight, that means they are able to hide from those scanners.
A very good example is the pe386 rootkit.

There is a rootkit detection tool that is not targeted yet but it's NOT user friendly, it flags legit files as rootkits.


Anyway, if everything seems fine then that's good!
Good luck!
0
 

Author Comment

by:shayeh
ID: 17127544
This is a link to the HJT analysis that I ran on my home laptop.

http://www.hijackthis.de/logfiles/12f5f0d8720b492aa2fc5bdd1c353989.html

How do I get rid of the nasty and possible nasties
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17127659
Put a check next to these entries and click "Fix Checked", that's how you fix entries in hiijackthis. You have so many 016 entries, it's okay to fic them even if they are legit because they get downloaded again when they're needed, but they all load when you open IE.

these entries needs fixing:
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - C:\WINNT\shginas.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN.cab    
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} - http://rd1.surfernetwork.com/surferplugin.ocx  
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://www.adsserve.com/WildApp.cab


Hijackthis automatically delete this file but just check to make sure it's gone --> C:\WINNT\shginas.dll
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This video discusses moving either the default database or any database to a new volume.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now