Possible rootkits & AdWareAlert - Sysinternals Forums

On my desktop PC I am using XP Home (SP3), plus AVG 8.0.100 Anti-virus Free, plus Sunbelt Kerio Firewall, & K9 Spam Filter.

Until recently I used AVG Anti-Rootkit every 2 weeks or so. It has never found any rootkits. With the introduction of AVG 8, support for their anti-rootkit has been discontinued & so I uninstalled it.

I downloaded & ran RootkitRevealer and got the following results -

HKLM\SECURITY\Policy\Secrets\SAC*
5/24/2004 10:23 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*
5/24/2004 10:23 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*
5/24/2004 10:26 PM
0 bytes
Key name contains embedded nulls (*)

C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\8DAZ8DEV\Fw_ A must read ... Frogs ....Zone.Identifier
9/20/2007 2:25 PM
26 bytes
Hidden from Windows API

C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\8DAZ8DEV\Fw_ The Safe Sex Dress ....Zone.Identifier
9/20/2007 2:25 PM
26 bytes
Hidden from Windows API

C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\C12FGHOD\Fw_ The Safe Sex Dress ....Zone.Identifier 9/20/2007 2:25 PM
26 bytes
Hidden from Windows API

C:\System Volume Information\_restore{B21C0FA0-681E-4000-9BD9-9282F6AF7D9D}\RP1139\A0430764.cfg
6\2\2008 6:57 PM
27.44 KB
Hidden from Windows API

--------------------------------------------------------

After reading on the Net, it seems to me that the first two items plus all the InprocServer32 entries are false positives. The very last item seems to be connected with System Restore and is probably another false positive, though I would be pleased if some member could confirm that.

This leaves me with 3 entries that are of concern, and two of them (The Safe Sex Dress) suggest that maybe someone has used my computer to access a porn site. I would very much appreciate members advising me whether or not these entries are rootkits, and if so, how to get rid of them.

I have run Panda Anti-Rootkit v1.08.00 and it finds nothing at all. Perhaps this is correct? Does anyone know if this software is reliable for rootkits?

I found a "free" download & removal tool, AdWareAlert 2008 and decided to try that. Of course it was free to download and also to scan but you can't do anything else with it until you register, which of course involves paying them money.

What concerns me is that AdWareAlert claims to have detected 17 rootkits on the PC in the following categories -

3 Adblaster   risk rating 5
2 Coupon bar   risk rating 5
6 Drive Cleaner  risk rating 7
2 Downloader (Lastad) risk rating 8
2 Trojan (Dialer)  risk rating 8
2 Trojan-dropper (Agent) risk rating 6

Rating 8 is listed as being Highly Dangerous.

Unfortunately I cannot get AdWareAlert to give me a log of these entries, and I can't enlarge the screen enough to get the full address in one view.

However, not one of the 17 detections correspond with the RootkitRevealer list. I have copied down the details for the two trojans listed as Highly Dangerous -

hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\realarea.biz

hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\realarea.biz Value

Everytime I boot the PC AdWareAlert comes up with what I would call "a scare campaign", constantly nagging and warning about the need to register & pay to remove these threats. As I am retired on a very small pension, I cannot afford to buy any software that isn't absolutely essential. I would also have to purchase it for my laptop because AdWareAlert downloads current lists from their web site. I also feel that perhaps there is something not right here and AdWareAlert is more about scaring people into parting with money.

At the risk of making this a long posting, I give below the RootkitRevealer log for my ancient laptop -

HKLM\SECURITY\Policy\Secrets\SAC*
9/4/2002 12:18 AM
0 bytes
Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*
9/4/2002 12:18 AM
0 bytes
Key name contains embedded nulls (*)

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CA21NRHZ
5/29/2008 6:16 PM
0 bytes
Hidden from Windows API.

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAA99JS8
5/29/2008 6:18 PM
0 bytes
Hidden from Windows API.

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAALZ5TV
5/29/2008 6:18 PM
0 bytes
Hidden from Windows API.

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAEPL5E8
5/29/2008 6:17 PM
0 bytes
Hidden from Windows API.

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAK0TFNW
5/29/2008 6:18 PM
0 bytes
Hidden from Windows API.

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAMDIV8Z
5/29/2008 6:17 PM
0 bytes
Hidden from Windows API.

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\Track[1].gif
5/29/2008 6:18 PM
43 bytes
Hidden from Windows API.

C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\SYN7PT2U\Track[1].gif
5/29/2008 5:45 PM
43 bytes
Visible in Windows API, but not in MFT or directory index.

C:\Program Files\KeirNet\K9\Emails\Recent\11BFD0B2.kml
5/29/2008 6:17 PM
2.44 KB
Hidden from Windows API.

C:\Program Files\KeirNet\K9\Emails\Recent\83C15784.kml
5/29/2008 6:17 PM
2.44 KB
Hidden from Windows API.

C:\Program Files\KeirNet\K9\Emails\Recent\D0462C2D.kml
5/29/2008 6:17 PM
2.68 KB
Hidden from Windows API.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
5/29/2008 6:04 PM
64.00 KB
Visible in Windows API, but not in MFT or directory index.

---------------------------

Apart from the first two false positive entries, the list is quite different from the desktop PC, though the software is as much the same as I can make it, including XP Home SP3.

I have run Panda but it found nothing, as did AVG Anti-rootkit until recently uninstalled. I have not installed AdWareAlert on the laptop.

As a general rule, is there any need to be concerned with entries found by RootkitRevealer and which have 0 bytes?

I would expect that the entries KeirNet\K9 are false positives as this is my spam filter, though I would appreciate confirmation. I don't understand why these entries are not found for the desktop as it too has the K9 spam filter.

I am concerned about the two entries with the graphic GIF files that are now used by most web sites. Has some web site dropped a malicious file on the laptop?

I am also concerned about the last entry.

Sorry that this is such a long posting but this gets all my rootkit worries out in one go.

Best wishes to all members,

Colin Robertson
Brisbane, Australia
------------------------------

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
Meriadoc Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 22 August 2006 Online Status: Offline Posts: 233	Post Options Post Reply Quote Meriadoc Report Post Quote Reply Topic: Possible rootkits & AdWareAlert Posted: 03 June 2008 at 8:07pm
	Hi Colin, >"a scare campaign", constantly nagging and warning about the need to register & pay to remove these threats. Any program that does this is definitely a rouge! Time to get rid - (this company is known for exaggerated and deceptive claims to mislead consumers, the 2 you copied down are ridiculous - only hope it leave nicely. empty your temporary files edit:Colin you do not need to part with any money as there is free software and free versions. Also have a look at surfing using a limited account. Different classes of security software. Edited by Meriadoc - 03 June 2008 at 8:47pm

Colin Robertson Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 02 June 2008 Location: Australia Online Status: Offline Posts: 1	Post Options Post Reply Quote Colin Robertson Report Post Quote Reply Posted: 03 June 2008 at 6:31pm
	On my desktop PC I am using XP Home (SP3), plus AVG 8.0.100 Anti-virus Free, plus Sunbelt Kerio Firewall, & K9 Spam Filter. Until recently I used AVG Anti-Rootkit every 2 weeks or so. It has never found any rootkits. With the introduction of AVG 8, support for their anti-rootkit has been discontinued & so I uninstalled it. I downloaded & ran RootkitRevealer and got the following results - HKLM\SECURITY\Policy\Secrets\SAC* 5/24/2004 10:23 PM 0 bytes Key name contains embedded nulls () HKLM\SECURITY\Policy\Secrets\SAI 5/24/2004 10:23 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 5/24/2004 10:26 PM 0 bytes Key name contains embedded nulls () C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\8DAZ8DEV\Fw_ A must read ... Frogs ....Zone.Identifier 9/20/2007 2:25 PM 26 bytes Hidden from Windows API C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\8DAZ8DEV\Fw_ The Safe Sex Dress ....Zone.Identifier 9/20/2007 2:25 PM 26 bytes Hidden from Windows API C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\C12FGHOD\Fw_ The Safe Sex Dress ....Zone.Identifier 9/20/2007 2:25 PM 26 bytes Hidden from Windows API C:\System Volume Information\_restore{B21C0FA0-681E-4000-9BD9-9282F6AF7D9D}\RP1139\A0430764.cfg 6\2\2008 6:57 PM 27.44 KB Hidden from Windows API -------------------------------------------------------- After reading on the Net, it seems to me that the first two items plus all the InprocServer32 entries are false positives. The very last item seems to be connected with System Restore and is probably another false positive, though I would be pleased if some member could confirm that. This leaves me with 3 entries that are of concern, and two of them (The Safe Sex Dress) suggest that maybe someone has used my computer to access a porn site. I would very much appreciate members advising me whether or not these entries are rootkits, and if so, how to get rid of them. I have run Panda Anti-Rootkit v1.08.00 and it finds nothing at all. Perhaps this is correct? Does anyone know if this software is reliable for rootkits? I found a "free" download & removal tool, AdWareAlert 2008 and decided to try that. Of course it was free to download and also to scan but you can't do anything else with it until you register, which of course involves paying them money. What concerns me is that AdWareAlert claims to have detected 17 rootkits on the PC in the following categories - 3 Adblaster risk rating 5 2 Coupon bar risk rating 5 6 Drive Cleaner risk rating 7 2 Downloader (Lastad) risk rating 8 2 Trojan (Dialer) risk rating 8 2 Trojan-dropper (Agent) risk rating 6 Rating 8 is listed as being Highly Dangerous. Unfortunately I cannot get AdWareAlert to give me a log of these entries, and I can't enlarge the screen enough to get the full address in one view. However, not one of the 17 detections correspond with the RootkitRevealer list. I have copied down the details for the two trojans listed as Highly Dangerous - hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\realarea.biz hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\realarea.biz Value Everytime I boot the PC AdWareAlert comes up with what I would call "a scare campaign", constantly nagging and warning about the need to register & pay to remove these threats. As I am retired on a very small pension, I cannot afford to buy any software that isn't absolutely essential. I would also have to purchase it for my laptop because AdWareAlert downloads current lists from their web site. I also feel that perhaps there is something not right here and AdWareAlert is more about scaring people into parting with money. At the risk of making this a long posting, I give below the RootkitRevealer log for my ancient laptop - HKLM\SECURITY\Policy\Secrets\SAC 9/4/2002 12:18 AM 0 bytes Key name contains embedded nulls () HKLM\SECURITY\Policy\Secrets\SAI 9/4/2002 12:18 AM 0 bytes Key name contains embedded nulls (*) C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CA21NRHZ 5/29/2008 6:16 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAA99JS8 5/29/2008 6:18 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAALZ5TV 5/29/2008 6:18 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAEPL5E8 5/29/2008 6:17 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAK0TFNW 5/29/2008 6:18 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\CAMDIV8Z 5/29/2008 6:17 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\GITVV9C3\Track[1].gif 5/29/2008 6:18 PM 43 bytes Hidden from Windows API. C:\Documents and Settings\Colin & Geraldine\Local Settings\Temporary Internet Files\Content.IE5\SYN7PT2U\Track[1].gif 5/29/2008 5:45 PM 43 bytes Visible in Windows API, but not in MFT or directory index. C:\Program Files\KeirNet\K9\Emails\Recent\11BFD0B2.kml 5/29/2008 6:17 PM 2.44 KB Hidden from Windows API. C:\Program Files\KeirNet\K9\Emails\Recent\83C15784.kml 5/29/2008 6:17 PM 2.44 KB Hidden from Windows API. C:\Program Files\KeirNet\K9\Emails\Recent\D0462C2D.kml 5/29/2008 6:17 PM 2.68 KB Hidden from Windows API. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 5/29/2008 6:04 PM 64.00 KB Visible in Windows API, but not in MFT or directory index. --------------------------- Apart from the first two false positive entries, the list is quite different from the desktop PC, though the software is as much the same as I can make it, including XP Home SP3. I have run Panda but it found nothing, as did AVG Anti-rootkit until recently uninstalled. I have not installed AdWareAlert on the laptop. As a general rule, is there any need to be concerned with entries found by RootkitRevealer and which have 0 bytes? I would expect that the entries KeirNet\K9 are false positives as this is my spam filter, though I would appreciate confirmation. I don't understand why these entries are not found for the desktop as it too has the K9 spam filter. I am concerned about the two entries with the graphic GIF files that are now used by most web sites. Has some web site dropped a malicious file on the laptop? I am also concerned about the last entry. Sorry that this is such a long posting but this gets all my rootkit worries out in one go. Best wishes to all members, Colin Robertson Brisbane, Australia ------------------------------