Your log is posted here
Now that your log is posted, you should NOT make further changes to your computer
(install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion
for the member assisting you and could complicate the malware removal process or make things worst
which would extend the time it takes to clean your computer.
From this point on the Malware Response Team should be the only members that you take advice from
, until they have verified your log as clean.Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.
Good luck with your log.Important Note
for future reference: Rootkit Revealer
is a stand-alone tool that will help investigate for the presence of rootkits. It will not actually tell you if you are infected or not unless you know what you're looking for. If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you probably should not
be using it. Some ARK tools are intended for advanced users
or to be used under the guidance
of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Incorrectly removing legitimate entries could lead to disastrous problems
with your operating system.Why? Not all hidden components detected
by anti-rootkit (ARK) scanners are malicious
. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators
sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.
API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found
. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.Data mismatch
discrepancies will occur if a registry value is updated while the scan is in progress. Values that change frequently include timestamps such as the Microsoft SQL Server uptime value and virus scanner "last scan" values. RKR scans the HKLM\Security\Policy hive which contains SAC*
and SAI* hidden keys
. This is normal and not a cause for alarm. The presence of some keys with nulls may be pertinent to the correct operation of related applications. The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings.
There are many free ARK tools but some of them require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:Malwarebytes Anti-Malware
uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free
offers technology to deal with rootkit infections as well.
Edited by quietman7, 16 December 2010 - 09:52 AM.