[Reddoug]

Hi All

I am reading a book "Windows Forensic Analysis" and i downloaded Microsoft SysinternalsSuite. I have be playing with some of the tools. I ran rootkit revealer and it found some things. I did a screen print and saved it in a compressed folder that I will attach. Trying to figure out if I am infected. Computer does not show any signs of infections. I use MS Security Essentials, Malwarebytes. What other good programs are there to check for rootkits? Computer is running Windows XP Pro 32 bit.

Thanks, Doug

Attached Files

•  Rootkit.zip   200.98KB   100 downloads

[Advertisements]

Hello Reddoug

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

GMER will show us if anything is hiding on your system.

Step 1

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 2

Please don't forget to include these items in your reply:

• GMER log

It would be helpful if you could post each log in separate post

[maliprog]

Hello Reddoug

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

GMER will show us if anything is hiding on your system.

Step 1

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 2

Please don't forget to include these items in your reply:

• GMER log

It would be helpful if you could post each log in separate post

[Reddoug]

Hi

Below is the log from GMER. I thought it would be much bigger as long as it took to run GMER scan.

Thanks, Doug


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-13 10:43:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-11 WDC_WD2500KS-00MJB0 rev.02.01C03
Running: 8p292zlo.exe; Driver: C:\DOCUME~1\Red\LOCALS~1\Temp\pxtdapod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2396] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 30F281EC C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

---- EOF - GMER 1.0.15 ----

[maliprog]

GMER log is clean. There is nothing to worry about!

If you don't have any other issues remove GMER from your system and I'll call this one solved

[Reddoug]

Thank you for your help.

If I could ask, what was it that rootkit revealer (from System Internals) was showing? What is the difference between GMER and Rootkit Revealer programs?
Trying to learn a little.

Doug

[maliprog]

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternate, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis.

All antirootkit programs list all they can find, all that is hiding, and list it. GMER is more sophisticated and it list only a few items. GMER alerts if it found real rootkit but in most cases we need to decide what needs to be removed and what's not.

Glad your system is clean. Goodbye and stay safe

[Reddoug]

Thanks again. Doug

[maliprog]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.