Do I have a Rootkit?

Discussion in 'malware problems & news' started by chriskirner, Sep 5, 2006.

Thread Status:
Not open for further replies.
  1. chriskirner

    chriskirner Registered Member

    Joined:
    Mar 19, 2004
    Posts:
    12
    Hi Everyone,

    I'm going to post a short log from Sysinternal's Rootkit Revealer. From what I've read on their site, it seems pretty likely I have a rootkit of somekind.

    What I would like is perhaps some expert confirmation, and to find out if using system restore will have any effect on a rootkit.

    Here's the log:

    HKLM\SOFTWARE\Classes\webcal\URL Protocol 8/7/2006 9:41 AM
    13 bytes Data mismatch between Windows API and raw hive data.

    HKLM\SOFTWARE\TrendMicro\PC-cillin\ScanInfo\LastScanFile 9/4/2006 5:07 AM 54 bytes Windows API length not consistent with raw hive data.

    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 8/29/2006 1:09 AM 0 bytes Access is denied.

    C:\Documents and Settings\Loretta\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\curwx_600x405[1].jpg 9/4/2006 5:07 AM 31.70 KB Visible in Windows API, but not in MFT or directory index.

    C:\Program Files\Trend Micro\Internet Security 12\Log\20060904.VLG 9/4/2006 5:17 AM 528 bytes Hidden from Windows API.


    I appreciate any help you can give.

    If system restore won't do it, my new Dell has a factory drive image on it somewhere. Will that take care of it?

    It seems a shame the Wilders forum isn't involved in removal anymore, but I guess most of the malware experts are involved with others that do, so nothing's really lost, is it?

    Anyway thanks for the help.
    Having this thing on here (if it's really here) makes me nervous.

    Chris
     
  2. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    I am 99.9% sure that you do not have any rootkit.
     
  3. chriskirner

    chriskirner Registered Member

    Joined:
    Mar 19, 2004
    Posts:
    12
    Hi John,

    I sure hope you're right.

    The most suspicious entry, the one that says "access denied" is the one that most concerned me. In their explaination of how Rootkit Revealer works, the guys at Sysinternals said that you should never see that, unless something is wrong.

    Thanks for the advice!

    Chris
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    sptd\Cfg is related to Daemon Tools and Alcohol software. If you use the sysinternals forum search you should find most of your answers, if not all.

    ** Links to common log issues ** http://forum.sysinternals.com/forum_posts.asp?TID=3250&PN=1

    Did you post any questions on the sysinternals forum ?


    StevieO
     
  5. chriskirner

    chriskirner Registered Member

    Joined:
    Mar 19, 2004
    Posts:
    12
    Thanks StevieO,

    I did just that, and it looks good to me.

    I was concerned about that sptd file. I tried to run the command console in Gmer rootkit yesterday and my system kept hanging-up on reboot at that process. I didn't know what it meant, but I know I didn't like it!

    I have to admit, I'm pretty paranoid about rootkits. Powerful, invisible, hard to get rid of (if you manage to find one), and spreading, whats to be afraid of?

    Thanks for the help!
    Until next time!

    Chris
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Loading...
Thread Status:
Not open for further replies.