help with rootkit scan results

Posted on 2006-07-14
Medium Priority
Last Modified: 2013-12-04
I just ran a rootkit scan (twice, with the same results) and I need some guidance in interpreting the results.

Just FYI, I was not running anything else at the time of the scan, although there may have been background tasks running that normally start with windows (WIN 2K).

The underlying problem that led me to run the scan in the 1st place is that my machine randomly freezes up and has to be hard reset to get it going again.

The following is a "paste" of the san results. Any guidance would be greatly appreciated.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Driver2      7/10/2006 6:33 PM      3 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service2      7/10/2006 6:33 PM      7 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service3      7/10/2006 6:33 PM      5 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Motorola\PST\USBDriverVersionNumber      12/15/2005 1:50 PM      3 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Control\Motorola\PST\USBDriverVersionNumber      12/15/2005 1:50 PM      3 bytes      Data mismatch between Windows API and raw hive data.
Question by:shayeh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
LVL 13

Expert Comment

ID: 17112386

which program did you use to check this? (i guess sysinternals ? )

Author Comment

ID: 17112446
Thank you for your response.

The name of the program is    "rootkitRevealer.exe"

In the past when it ran (on a quiescent system), it returned zero messages. Now, it gave me the above listing, and, since I'm having a "freezing" problem, I wonder if there is a corresponding relationship.

Even if not, I wonder what these messages mean. I'm hoping that one of the more experienced hands here can give me some direction
LVL 13

Accepted Solution

Mark_FreeSoftware earned 668 total points
ID: 17112542

>>The name of the program is
that's from sysinternals

try to download the newest version and run it again (they do a lot of fixes)

>>I wonder what these messages mean.
it is possible to view the registry with the windows api (eg RegQueryValueEx)
what the rootkit program does, is checking if the data returned with that,
is the same as what is on the harddisk

these messages tell you that the file has somthing different than the api call returns
this is most of the time caused by an incorrect string, or by an embedded Nullchar

your case looks a lot like this one:

do a full system scan with a virus scanner, and check back here (or you could follow directions on that forum if your computer is indeed infected with the same)

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 47

Assisted Solution

rpggamergirl earned 668 total points
ID: 17112650
I don't see any rootkits there. A mismatch doesn't mean a present of any rootkits.
A rootkit would be something like an .exe or Device driver or hardware configuration file(sys) that is hidden from windows API.

When Rootkit Revealer starts it ask windows what is there and compared it with what is in the disc. Anything that windows didn't tell RKR at the start is hidden from windows API.
The mismatch in your case could mean that a registry value has changed during the scan.

What I am sure of is that, RKR did not find any rootkits.
The freezing could be caused by many things, have you eliminated malware/viruses as being the caused for freezing?

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.

LVL 32

Assisted Solution

r-k earned 664 total points
ID: 17113324
I agree with the above, there is no rootkit here.

Post a HJT log as follows:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

The symptoms could also be due to other reasons, most commonly failing memory, disk or power supply, but it is best to rule out malware first.

Also, as a test, disconnect all external devices (usb, printer, network) for a while and see if the freeze-ups go away.


Author Comment

ID: 17117397
Mark, rpggamergirl, and r-k,

Thank you all for your very informative and insightful comments. Unfortunately I am away for the weekend and will only be able to follow up on your suggestions once I get back to my office machine on Monday.

FYI, I had run various anti-spyware / anti-virus scanners (norton, zone alarm, acronis, xsoftspy) and they all gave me a clean bill of health (other than cookies of course).

Presently, I am leaning towards the "bad memory" hypothesis to explain the random freezes. One of the things I intend doing on Monday is to run the microsoft memory scanner to see about the health of my 1 gig of memory.

I will keep you informed of further progress on Monday.

LVL 32

Expert Comment

ID: 17117540
There are some good diagnostics on this bootable CD which you can download and make:


Also, if you are handy with opening the computer, you can re-seat the memory, and also interchange the memory modules to see if that makes a difference.

When running memory tests, you may have to let them run for a couple of hours to detect subtle errors.

Author Comment

ID: 17126393
Memory scan ran clean and everything passed on multiple iterations.

Oddly, machine is not freezing today. I'm re-assured that I am not harboring a root kit and I'm comfortable that I am not virus infected. I am leaning towards a thermal condition as an explanation for the freezes because the only active difference that I can point to is that I opened the case and blew out gobs of dust with my compressed air can.

Anyway, I appreciate all your input and I will shortly be splitting the points between the 3 of you (Mark, rpggamergirl, and r-k).

Thank you all and especially thank you to experts exchange for providing such an invaluable resource.
LVL 32

Expert Comment

ID: 17126410
Sounds good. Also check the small fan in back of the power supply to be sure it is spinning.
LVL 13

Expert Comment

ID: 17126573

>>Oddly, machine is not freezing today. I'm re-assured that I am not harboring a root kit and I'm comfortable that I am not virus infected. I am leaning towards a thermal >>condition as an explanation for the freezes because the only active difference that I can point to is that I opened the case and blew out gobs of dust with my compressed >>air can.

that is a very common issue of lockups

make sure the airflow is correct,

air should be sucked in at the bottom (front)
and blown out at the top (backside) of the case
LVL 47

Expert Comment

ID: 17126843
>>I'm re-assured that I am not harboring a root kit <<
We reassured you that Rootkit Revealer did not find a rootkit, but that does not guarantee that you have a "rootkit free" pc.
Some Rootkits targets Hijackthis, Rootkit Revealer, and Blacklight, that means they are able to hide from those scanners.
A very good example is the pe386 rootkit.

There is a rootkit detection tool that is not targeted yet but it's NOT user friendly, it flags legit files as rootkits.

Anyway, if everything seems fine then that's good!
Good luck!

Author Comment

ID: 17127544
This is a link to the HJT analysis that I ran on my home laptop.


How do I get rid of the nasty and possible nasties
LVL 47

Expert Comment

ID: 17127659
Put a check next to these entries and click "Fix Checked", that's how you fix entries in hiijackthis. You have so many 016 entries, it's okay to fic them even if they are legit because they get downloaded again when they're needed, but they all load when you open IE.

these entries needs fixing:
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - C:\WINNT\shginas.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN.cab   
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} - http://rd1.surfernetwork.com/surferplugin.ocx 
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab 
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://www.adsserve.com/WildApp.cab 

Hijackthis automatically delete this file but just check to make sure it's gone --> C:\WINNT\shginas.dll

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question