[I've recently posted, on other Norton Discussion Forums, here, about some computer and GHOST problems I'm having.
This all seems to be evolving into a rootkit issue that seems rather "unusual."
In addition to trying to determine if I have a rootkit problem --or not -- one of my main concerns is, "Why is this stuff happening to me so frequently?" And, "How is it getting past NIS?". {BTW, I also posted this on MS's RootkitRevealer Forum.} Appreciate any thoughts.]
___________________________________________________
Been having problems with my computer for the last week or so (2004 Toshiba laptop, Win XP SP3, running NIS 2009 and GHOST 14).
[In fact, I've had some rather serious, "repair shop" (rootkit/virus, etc?) issues over the last year or so. Feeling a bit "targeted," by someone, via the Web.]
Most recently, 25 July 2009, Saturday, about 7pm my time (US, MDT) -- while I was simply looking at a MySpace page (I don't do porno, crack-code, etc, sites, at all -- just "mainstream" stuff) -- the computer went dead -- screen blank/black, but the power button light was on.
[This was somewhat similar to an event, about 1-year ago, where I had to take the computer in for repair and a complete "restore"; several hundred bucks! Fortunately, this time, it restarted (see below).]
Couldn't turn the power button off. Had to unplug from the wall. I restarted, and OK -- except GHOST now showed to be "at risk." GHOST -- the main mode of recovering my computer, all of a sudden went on the fritz. Also, it wouldn't do a "Recovery Point" save.
I posted all this to the Norton Forums, and someone suggested maybe it was a rootkit problem. So, I tried various detectors.
Results were quite "suspicious" -- at least to me. Ran SysProt and GMER (on suggestion from the Norton Forum).
SysProt crashed my system, immediately, upon selecting scan (later, it did it again, on selecting the "Kernel" tab). In both cases, Windows said (on restart) "Windows has recovered from a serious error." [I did Screen Shots of this and the details of the error messages -- seemed to have something to do with "Drivers"?]
GMER ran for 5.5 hours! and never finished (80GB HD, with only about 23GB used; 3.3GHz dual-core processor).
Results from RootkitRevealer (RKR) is particularly curious.
Ran RKR yesterday and it found 944 discrepancies! That seems like a lot? No other programs were running during the scan (AFAIK), and I was off-line (DSL modem OFF).
When I tried to save the log, it just froze. Had to go to Task Manager to x-out.
Before doing that, I was at least able to get a screen shot of the first page (with a big area blanked out by the "freeze").
Mostly, what this (first page only) showed was, "Visible in Windows API, but not in MFT or directory index," on a list of System Volume Information\_restore (then a bunch of capital letters and numbers) discrepancies.
Then, a bunch of "Hidden from Windows API," and "Visible in Windows API, but not in MFT or directory index" (but not related to System Volume Information) discrepancies.
Also, got (1) "access is denied," [which the RKR write-up says, "RootkitRevealer should never report this discrepancy..."] (2) "Key name contains embedded nulls," and (1) "Data mismatch between Windows API and raw hive data." Since these were the first things that came up in RKR, I did write these down.
"Access denied": HKLM\SYSTEM\Control Set001\Services\sptd\Cfg
"Key name contains embedded nulls": (first one) HKLM\SECURITY\Policy\Secrets\SAC*
(second one) HKLM\SECURITY\Policy\Secrets\SAI*
["Secrets"???]
The last one ("Data mismatch...") was:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3475520BB5615DB4D88A73FD9B390041\Usage\Shared
OK, that's all strange, I thought. So, I reran RKR today. Only got 29 discrepancies? BIG difference from 944! Same "environment" as yesterday.
So, I'm thinking maybe a very sophisticated person implementing such a rootkit has a way to hide it even better after it has been scanned by RKR (and others, like SysProt/GMER, etc)?
Or (preferably), they deleted much of it, for fear of being "discovered"?
Would greatly appreciate any thoughts on all this.
[And, if you got this far in reading, thank you very much.]
Kind Regards,
Robby