Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Revealer Acting Up


  • Please log in to reply
7 replies to this topic

#1 joe blow

joe blow

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 13 November 2007 - 02:02 AM

Hi,

The problem started when I ran rootkit revealer and half way through the scan stopped and windows said it had to close the program and wanted to send an error report.

The scan had stopped on adobe, so I uninstalled adobe and ran the scan again. This time the same thing happened but now the scan had stopped on the temp internet files. So I ran Steven Gould's "cleanup" and scanned again and everything was fine.

But now when I scan this shows up.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 11/13/2007 3:56 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

From what I've been able to find out it isn't anything serious, but in conjunction with the initial scanning problems I thought I better get it checked out.

AVG rootkit detector dosen't pick up anything.

Thanks for any help that anyone can give.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 PM

Posted 13 November 2007 - 11:30 AM

The entry is related to Windows Update or Automatic Update database temp file.

If your unsure how to use RKR or read its logs, stick with AVG Anti-Rootkit or use Panda AntiRootkit.zip instead.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 14 November 2007 - 03:52 AM

O.K. Thanks for that.

Is it possible that some kind of malware hideing in the temperory internet files was preventing rootkit revealer from running initially?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 PM

Posted 14 November 2007 - 08:19 AM

There are various reasons for RKR and other ARKs encountering problems when trying to scan.

Before performing a scan it is recommended to do the following to ensure the best results:
  • Disconnect from or physically unplug the cable from the PC to the Internet connection.
  • Close down All Scheduling/Updating + Running Background tasks, etc.
  • Disable/turn off any program that might activate during the scan such as screensaver, anti-virus, anti-spyware. Programs that activate during the scan may cause RKR to display inaccurate/misleading log results.
  • Then after starting the scan, DO NOT not use the computer until the scan has completed.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 14 November 2007 - 09:09 PM

Thanks for the help you have provided so far. Unfortunately a new problem has arisen.

I have installed Kerio firewall. Now when I run Rootkit revealer a window from Kerio pops up during the scan and says "Change CodePage Utility" is being launched by "Windos Command Processor".

If I allow it, the scan runs normally and nothing is detected. If I do not allow it, the scan comes back as follows.

HKLM\SECURITY\Policy\Secrets\SAC* 8/15/2007 8:13 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/15/2007 8:13 PM 0 bytes Key name contains embedded nulls (*)
C:\adownloads\RegSeeker\RegSeeker\Languages\Espaol.bmp 11/5/2005 12:15 PM 1.30 KB Visible in Windows API, but not in MFT or directory index.
C:\adownloads\RegSeeker\RegSeeker\Languages\Espaol.lng 6/8/2007 3:47 PM 6.00 KB Visible in Windows API, but not in MFT or directory index.
C:\adownloads\RegSeeker\RegSeeker\Languages\EspaŮol.bmp 11/5/2005 12:15 PM 1.30 KB Hidden from Windows API.
C:\adownloads\RegSeeker\RegSeeker\Languages\EspaŮol.lng 6/8/2007 3:47 PM 6.00 KB Hidden from Windows API.
C:\adownloads\RegSeeker\RegSeeker\Languages\Portugus-BR.bmp 11/5/2005 12:15 PM 1.94 KB Visible in Windows API, but not in MFT or directory index.
C:\adownloads\RegSeeker\RegSeeker\Languages\Portugus-BR.lng 6/8/2007 3:47 PM 5.95 KB Visible in Windows API, but not in MFT or directory index.
C:\adownloads\RegSeeker\RegSeeker\Languages\PortuguÍs-BR.bmp 11/5/2005 12:15 PM 1.94 KB Hidden from Windows API.
C:\adownloads\RegSeeker\RegSeeker\Languages\PortuguÍs-BR.lng 6/8/2007 3:47 PM 5.95 KB Hidden from Windows API.
C:\Documents and Settings\ 12/17/2006 6:48 PM 309 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 12/17/2006 6:48 PM 309 bytes Hidden from Windows API.
C:\Documents and Settings\ 2007 9:09 PM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 4/26/2007 9:09 PM 240 bytes Hidden from Windows API.
C:\Documents and Settings\ 10/30/2007 7:24 PM 439 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 10/30/2007 7:24 PM 439 bytes Hidden from Windows API.
C:\Documents and Settings\ 10/21/2007 8:46 PM 516 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 10/21/2007 8:46 PM 516 bytes Hidden from Windows API.
C:\Documents and Settings\ 11/1/2007 6:30 PM 251 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 11/1/2007 6:30 PM 251 bytes Hidden from Windows API.
C:\Documents and Settings\ 8/18/2007 4:43 PM 285 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 8/18/2007 4:43 PM 285 bytes Hidden from Windows API.
C:\Documents and Settings\ 7/15/2007 5:34 PM 319 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 7/15/2007 5:34 PM 319 bytes Hidden from Windows API.
C:\Documents and Settings\ 9/13/2007 5:52 PM 401 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 1/1/2007 7:34 PM 356 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 1/1/2007 7:34 PM 356 bytes Hidden from Windows API.
C:\Documents and Settings\ 9/13/2007 5:52 PM 401 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/2/2007 6:26 PM 351 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/2/2007 6:26 PM 351 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/12/2007 8:24 PM 285 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/12/2007 8:24 PM 285 bytes Hidden from Windows API.
C:\Documents and Settings\ 9/25/2006 8:35 PM 211 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 9/25/2006 8:35 PM 211 bytes Hidden from Windows API.
C:\Documents and Settings\ 11/6/2006 4:10 PM 512 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 11/6/2006 4:10 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/23/2007 5:31 PM 285 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/23/2007 5:31 PM 285 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/21/2007 5:41 PM 293 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/21/2007 5:41 PM 293 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/23/2007 5:35 PM 297 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/23/2007 5:35 PM 297 bytes Hidden from Windows API.
C:\Documents and Settings\ 7/24/2007 5:26 PM 297 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 7/24/2007 5:26 PM 297 bytes Hidden from Windows API.
C:\Documents and Settings\ 11/19/2006 7:54 PM 265 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 11/19/2006 7:54 PM 265 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 11/19/2006 7:54 PM 265 bytes Hidden from Windows API.
C:\Documents and Settings\ 11/19/2006 7:54 PM 265 bytes Hidden from Windows API.
C:\Documents and Settings\ 10/23/2006 8:55 PM 255 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 10/23/2006 8:55 PM 255 bytes Hidden from Windows API.
C:\Documents and Settings\ 3/29/2007 7:32 PM 371 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 11/21/2006 6:57 PM 289 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 3/29/2007 7:32 PM 371 bytes Hidden from Windows API.
C:\Documents and Settings\ 11/21/2006 6:57 PM 289 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/21/2007 5:40 PM 293 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/21/2007 5:40 PM 293 bytes Hidden from Windows API.
C:\Documents and Settings\ 4/9/2007 1:48 PM 267 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ /2007 1:48 PM 267 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/30/2007 4:18 PM 482 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/28/2007 6:23 PM 223 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/30/2007 4:18 PM 482 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/28/2007 6:23 PM 223 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/6/2007 5:40 PM 226 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/6/2007 5:40 PM 226 bytes Hidden from Windows API.
C:\Documents and Settings\ 5/18/2007 4:36 PM 248 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\ 5/18/2007 4:36 PM 248 bytes Hidden from Windows API.

The "C:\Documents and Settings\" entries were all "favorites" I have edited them because they contained identifiable infomation. They were for BBC, flickr, Mcafee and a couple of help sites. They only made up a small proportion of my favorites. I have no idea why they were singled out.

Have I just interferred with the normal running of Rootkit revealer, or do I have an infection.

In depth scans with AVG and Panda rootkit detectors find nothing, and do not get the Kerio pop up.

I would really appriciate it if you were able to tell me what is going on here.

Thanks.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 PM

Posted 14 November 2007 - 10:16 PM

Have I just interferred with the normal running of Rootkit revealer, or do I have an infection.

Your overreacting because you don't understand how to interpret the log results and your not scanning properly. Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You really should stick with an ARK that you are familiar with.

I don't use Kerio so I'm not exactly sure what the "Change CodePage Utility"... message means. Were you running RKR from the command line? You can inquire about this at the RootkitRevealer Forum. They can help provide more specific details as well as analyze RKR logs. I suspect Kerio is interfering with the scan. As I previously stated before running a scan it is best to disconnect from the Internet and disable/turn off any program that might activate during the scan. If you don't do that, you will encounter problems with your scan.

HKLM\SECURITY\Policy\Secrets\SAC* 8/15/2007 8:13 PM 0 bytes Key name contains embedded nulls(*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/15/2007 8:13 PM 0 bytes Key name contains embedded nulls(*)
Starting with v1.71 RKR began to scan the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded nulls. This is normal and not a cause for alarm. See RKR 1.71 and HKLM\Security\Policy\Secrets.

C:\Documents and Settings\ 12/17/2006 6:48 PM 309 bytes Visible in Windows API, but not in MFT or directory index.

RKR currently doesn't handle links/junctions at all. So at the WinAPI level it sees relevant file system objects more than once (once for real, one or more times via a link). In the latter case(s) it doesn't find raw objects on disk to match, so generates a "Visible in Windows API, but not in MFT or directory index" report for them.

RKR + Vista soft links = huge log
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 16 November 2007 - 01:13 AM

O.K. Thanks for the help.

Hopefully I am just being a bit paranoid, but with the stuff that is floating around out there its easy to get that way.

Thanks again.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 PM

Posted 16 November 2007 - 07:48 AM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users