Rootkit Problems

[Coinman33]

Ridiculously large screenshot placed in zip file to avoid horizontal scrolling on all but the largest displays.

I just ran RootkitRevealer and came up with the all the entries in the attachment. Is there any solution to this OTHER THAN reinstalling windows ??? Thanks in advance for any help !!!

[AlanMiller]

I don't know anything about this software (or rootkits) but would I be correct in assuming that you have some PC Magic Software installed? The advice given on Sysinternals Freeware - RootkitRevealer says:

"You should examine all discrepancies and determine the likelihood that they indicate the presence of a rootkit. Unfortunately, there is no definitive way to determine, based on the output, if a rootkit is present, but you should examine all reported discrepancies to ensure that they are explainable. If you determine that you have a rootkit installed, search the web for removal instructions. If you are unsure as to how to remove a rootkit you should reformat the system's hard disk and reinstall Windows. "

I'd do a bit of searching before deleting anything. My guess is that the discrepancies revealed aren't related to any malware.

Alan

[jhelfer]

A lot of people feel that if you find out that your computer has been succesfully attacked and compromised, and you aren't exactly sure what happened and where and when, then you can't really be sure your system still isn't compromised. You might have missed something.

In this case: "Take off and Nuke it from orbit. It's the only way to be sure"

(i.e., delete your entire hard drive, reinstall/restore from know good image, and reload your data files from archive.)

[JohnGray]

I ran RootkitRevealer on my XP Pro box, and found about 100 entries in the Firefox cache which were described as "inaccessible via the Windows API". I have no idea whether this is correct, but it worries me not in the slightest.

Do you recognise the software directories and files that Alan has identified? Or do you remember installing "something" on the most common date indicated?

Most importantly, are you experiencing any problems that could be put down to the presence of a Rootkit? If not, I would simply keep the matter in mind and be wary. There seems little point recreating everything unless there is a good factual reason for doing this.

Please note that the attached cartoon is not directed at anyone...!

John

[viking33]

See joeperez post.

<post#=456,135>post 456,135</post#>

[Coinman33]

Ok ... I've gotten everything from "blow up the whole thing" to "do nothing" and in between ... quite the concensus but as I am having no problems (that I can notice), I think I will opt for the watchful eye approach. Thanks for ALL the suggestions. As for the GREAT cartoon, I am wondering which member of the Lounge that really is <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

[jscher2000]

It does very much appear (based on Googling some file names) that your computer has the Magic Folders or Encrypted Magic Folders software installed (see http://www.pc-magic.com/des.htm). If you installed this, or someone else intentionally installed it, then most of the files are probably there properly. The registry keys with the word "Reinstall" in the path are interesting. I'm not sure why they exist or what they do. I believe Sysinternals offers a tool that will let you access these keys (RegEdit might not be able to see them) so you can determine whether you want them or not. The cookies and cache entries could have changed while you were running the scan. If you had closed your browser, maybe close all running programs and try the scan again to see if there are still discrepancies.

[AlanMiller]

> As for the GREAT cartoon, I am wondering which member of the Lounge that really is

It's not. Nobody here gets paid as well as a Waste Management Specialist!

Alan