PDA

View Full Version : first time use with rootalyzer



TwistedMike
2009-01-28, 22:07
this is the first time using this app and i did a deep scan and lots of thinks came up and under details they said invisible to win32 i don't know what that means but it doesn't sound good seen that win32 is windows core files i think and help would be much appreciated.

PepiMK
2009-01-28, 23:32
Windows NT, 2000, XP, Vista etc. have two layers:

The "NT" layer (system) underneath, and (most often used) the "Win32" layer (subsystem) above.

Any application software usually just uses the Win32 layer, so if reetkit hide stuff in that layer, it gets "invisible".

Sometimes. even legit software uses rootkit technology, e.g. to hide software registratration information.

Please post the list of detected things, maybe I can tell you more then :)

TwistedMike
2009-01-28, 23:51
here is the list of things detected

PepiMK
2009-01-30, 13:45
Wow, that's not a small list :spider:
and looks like a rootkit indeed - which legit file names itself msqpdxcpeyqxgm.dll?

Seeing the Temp\Rar$... folders mentioned, I would suspect you get it through some download in .rar format that you extracted and ran.

You can try to remove it trough RootAlyzers detail windows. Or save the attached text with the extension .sbi and place it in Spybot-S&Ds Includes\ folder, where it will be used during the next scan (use a text oditor to change those 5 File: to NTFile:). Or mail the rar archive if you still remember it to detections@spybot.info :)

TwistedMike
2009-01-30, 23:54
I'm sorry but i don't happen to have the rar file any more if i had i would send to you and how do I change those 5 File: to NTFile could you please explain a little.Thanks in advance for the help.

PepiMK
2009-02-06, 10:16
It means that when you've got that text copied into a text editor, you type N and T at the beginning of those rows ;)

So that in the end, you Something.sbi file would look like this:

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
NTFile:"Hidden file","C:\WINDOWS\system32\msqpdxcpeyqxgm.dll"
NTFile:"Invisible to Win32","C:\WINDOWS\system32\msqpdxcpeyqxgm.dll"
NTFile:"Invisible to Win32","C:\Documents and Settings\Default\Local Settings\Temp\Rar$DR01.891\WINDOWS\system32\msqpdxcpeyqxgm.dll"
NTFile:"Invisible to Win32","C:\Documents and Settings\Default\Local Settings\Temp\Rar$DR00.016\WINDOWS\system32\msqpdxcpeyqxgm.dll"
NTFile:"Invisible to Win32","C:\Documents and Settings\Default\Desktop\WINDOWS\system32\msqpdxcpeyqxgm.dll"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\KLIF\Parameters\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\KLIF\Parameters\909\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\KLIF\Instances\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\KLFLTDEV\Rules\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\klbg\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\klbg\Instances\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\AVP\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\KLIF\Parameters\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\KLIF\Parameters\909\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\KLIF\Instances\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\KLFLTDEV\Rules\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\klbg\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\klbg\Instances\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\AVP\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\KLIF\Parameters\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\KLIF\Parameters\909\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\KLIF\Instances\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\KLFLTDEV\Rules\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\klbg\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\klbg\Instances\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\AVP\","$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123"