Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Do I Delete Files That Are Thrown Up By Rootkitrevealer


  • Please log in to reply
5 replies to this topic

#1 KeithH

KeithH

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 15 March 2008 - 03:08 AM

I have run RootkitRevealer and it shows up 5 registry problems and 5 file problems. Assuming I need to remove them, how do I delete them as whenever I try, either they are hidden or access is denied. I am running W2000

HKU\.DEFAULT\Control Panel\International 13/01/2008 21:36 0 bytes Security mismatch.
HKU\S-1-5-21-1993962763-1708537768-854245398-1000\Control Panel\International 13/01/2008 21:35 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 06/10/2005 13:29 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 06/10/2005 13:29 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:3b9b8aed-e9a4-401b-a395-492088eef5f0* 05/10/2005 12:55 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Keith\Application Data\skypePM\2008-03-15-0.ezlog 15/03/2008 00:41 728 bytes Hidden from Windows API.
C:\WINDOWS\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\17f4.B014824001C8861A.history\00000000.bak 14/03/2008 21:44 4.20 MB Hidden from Windows API.
C:\WINDOWS\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1838.2BA3D10001C8861C.history 14/03/2008 21:41 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1838.2BA3D10001C8861C.history\00000000.bak 14/03/2008 21:41 682.93 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\All Users\Application Data\Kaspersky Lab\AVP7\Report\08a5_File_Monitoring_eventcritlog.rpt 14/03/2008 21:49 4.35 KB Hidden from Windows API.

BC AdBot (Login to Remove)

 


m

#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 PM

Posted 15 March 2008 - 12:35 PM

That 4.2mb one seems suspicious.

I would run AVG Anti-rootkit and run a scan.

Post the results back here.

#3 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 16 March 2008 - 04:23 PM

I downloaded and ran AVG Anti-rootkit (free) and it came up with nothing but I did notice a number of files flashed up as 'password protected'. I couldn't find a log file and they went by so quick I don't know which they were.

Just out of interest, I use Sunbelt Personal Firewall and is frequently closed for no apparent reason

Any help or advice will be very much appreciated

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 16 March 2008 - 05:53 PM

RKR scans the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded (trailing) nulls. This is normal and not a cause for alarm. The presence of some keys with nulls may be pertinent to the correct operation of related applications. See RKR 1.71 and HKLM\Security\Policy\Secrets. Also see "Info on common log entries" such as:

SoftwareDistribution\DataStore
WinGenerics
ODBCINST Entries
Data Mismatches
InprocServer32/embedded nulls
Zero Bytes
Daemon Tools and Alcohol software entries
Cryptography\RNG\Seed\
System Volume Information\_restore
Prefetch

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

If your unsure how to use RKR or read its logs, use AVG Anti-Rootkit, Sophos Anti-rootkit or Panda AntiRootkit instead. If they detect a rootkit, they should all let you know.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 17 March 2008 - 04:59 AM

Before you came back I had tried to delete the 00000000.bak file using the command line and it came up with access denied. I then did a dir to see if anything else was in that directory and it had moved itself. Is that something an anti virus program would do?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 17 March 2008 - 09:23 AM

That bak folder was related to Kaspersky but I'm not sure exactly how their AV handles them.

C:\WINDOWS\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1838.2BA3D10001C8861C.history\00000000.bak 14/03/2008 21:41 682.93 KB Visible in Windows API, but not in MFT or directory index.


BTW, the Kaspersky entry appears to be false positive as discussed here and here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users