| View previous topic :: View next topic |
| Author |
Message |
WillysWonka79
Trooper
Joined: Dec 18, 2007
Posts: 14
Location: USA
|
 Posted: Tue Jun 10, 2008 5:30 pm Post subject: Did my routine pc checkup and found some root-kits. |
|
|
The Sophos anti-rootkit found \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\888.com
The Rootkit Revealer found HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
And the McAfee Rootkit Detective found a whole bunch of these HKLM\SOFTWARE\Microsoft\Protected Storage Provider\* Local Machine *\Data 
|
|
| Back to top |
|
 |
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Wed Jun 11, 2008 3:52 am Post subject: |
|
|
These are not rootkits. Rootkit detectors do not always distinguish between legit and malicious entries.
The only registry key of possible concern is this one:
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\888.com
Have you used an immunize function to add sites to the restricted zone of IE, such as Spybot S&D, SiteAdvisor does this, too, and as well as some other programs.
The domain 888.com is an online casino and gameroom website.
You can tell by using Regedit to look at the DWORD value for this key whether 888.com is in the trusted zone or restricted zone of Internet Explorer. If the value is 4 then that domain is in the restricted zone. If it is 2, then the domain is in the Trusted Zone (you don't want it there). If you can't find this key and it is hidden, then that's a bad sign.
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\888.com
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
WillysWonka79
Trooper
Joined: Dec 18, 2007
Posts: 14
Location: USA
|
| Posted: Wed Jun 11, 2008 12:23 pm Post subject: Yep, its hidden alright. |
|
|
Thanks for reading and replying to my post. Sophos is the only program that finds it. I looked through the registry for it, nothing.
I have alot of wierd web sites under my domain area, ones Ive never even been to. So.... What to do now?
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Wed Jun 11, 2008 8:38 pm Post subject: |
|
|
The fact that you are seeing all those weird domains in your registry indicates that you have used a program with an "immunization" function. Some programs like SiteAdvisor do not inform you in the description on their product page that immunization is done.
Let's use a tool to automatically search your Registry for all occurrences of the string 888.com - Download RegSearch and extract the contents of the zip file.
- Double-click the icon for RegSearch.exe to launch the program.
- Enter 888.com in the first box, as string to search for and click "OK".
- After completion Notepad will be opened with all the found instances of the string.
- The resulting file is saved in the same location as RegSearch.exe.
- Please post back the results - only if any occurrences were found.
If nothing is found, then we can use a rootkit detector with a Registry browsing function to see if the flagged key is present. I highly doubt that it is hidden though, because RKR detects hidden registry entries quite well, and it did not flag the key:
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\888.com
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
WillysWonka79
Trooper
Joined: Dec 18, 2007
Posts: 14
Location: USA
|
| Posted: Wed Jun 11, 2008 8:47 pm Post subject: Here are the results. |
|
|
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 6/11/2008 3:44:17 PM for strings:
; '888.com'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\888.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\888.com]
; End Of The Log...
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Thu Jun 12, 2008 2:11 am Post subject: |
|
|
Those keys are used for cookie handling both globally and for the current user. You can check the DWORD value data for that key using Regedit to determine whether your IE settings ares blocking or allowing cookies for that domain:
0x00000005 - Blocks cookies
0x00000001 - Allows cookies
Ideally, the data value is a 5.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
WillysWonka79
Trooper
Joined: Dec 18, 2007
Posts: 14
Location: USA
|
| Posted: Thu Jun 12, 2008 7:32 am Post subject: Thats the thing. |
|
|
It doesnt show up on regedit.
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Fri Jun 13, 2008 1:18 am Post subject: |
|
|
Please download ATF Cleaner by Atribune.
This program is for Vista, XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click
-
- No at the prompt, and uncheck cookies.
If you use Opera browser
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt, and uncheck cookies.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Gmer v. 1.0.14
Create a folder such as C:\Gmer and unzip gmer114.zip to that folder
Physically disconnect your PC from the internet.
Temporarily turn all active protection programs OFF including your Antivirus, and Antispyware program guards, and HIPS if you have one installed.
Double-click gmer.exe to run it
Click the ">>>" Tab
Click the "Registry" Tab
Click "+" signs and navigate to the each of the following keys in succession:
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\888.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\888.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\888.com]
As each key is located, double-click the key and examine/record the Value data for each one.
Exit Gmer
Open a command prompt (Start | run |type cmd and hit Enter) - Type or paste the following to unload the gmer driver:
- net stop gmer
- Hit Enter
- Exit the command prompt.
Re-enable all active protection.
Report back your findings.
Please tell me what security programs you are running including passive protection programs like SpywareBlaster.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
WillysWonka79
Trooper
Joined: Dec 18, 2007
Posts: 14
Location: USA
|
| Posted: Fri Jun 13, 2008 10:13 pm Post subject: Results |
|
|
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\888.com]
there was no 888.com there was just an 888net.net REG_DWORD 0X00000004 (4)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\888.com]
this one said REG_DWORD 0X00000005 (5)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\888.com]
and this one said REG_WORD 0X00000005 (5)
When I typed net stop Gmer in the command promp it said:
System error 1060 has occurred.
The specified service does not exist as an installed service.
The Security programs I use are as follows: Kaspersky Internet security 7.0 (I disabled all but the antivirus on this because I could not understand the complexity of the other programs),
Comodo Firewall Pro, Comodo BOClean 4.25, AVG Anti-Rootkit,
Sophos Anti-Rootkit, SUPERAntiSpyware, Rootkit Detective,
Spybot - Search and Destroy, WinPatrol, Rootkit Revealer,
HijackThis, SpywareBlaster, and CCleaner.
Long list huh? Im kinda paranoid.
Ok, thats it. Hope you can figure out whats going on from here.
Thanks again for your help.
|
|
| Back to top |
|
|
WillysWonka79
Trooper
Joined: Dec 18, 2007
Posts: 14
Location: USA
|
| Posted: Sun Jun 15, 2008 10:39 pm Post subject: So Im still stuck here.. |
|
|
Please give me further information or instructions. Thank you.
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Tue Jun 17, 2008 10:11 pm Post subject: |
|
|
Both Spybot S&D and SpywareBlaster perform an "immunize" function. In addition SpywareBlaster blocks harmful cookies which is what is happening here with 888.com. The upshot of all this, is that these entries in your registry are simply your security programs protecting you from dodgy domains. I do not know why Rootkit Detective flagged them previously but they are not cause for concern, just the opposite in effect.
I have SpywareBlaster installed and I can confirm that 888net.net it is one of the domains it puts in the IE Restricted zone. The "Restrictive Site Protection" function within SpywareBlaster will allow you to view all the domains it restricts. Doing this prevents harmful downloads, ActiveX installations, script execution, and "spyware cookies".
The Gmer error just means the driver was already unloaded so no problem there.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
WillysWonka79
Trooper
Joined: Dec 18, 2007
Posts: 14
Location: USA
|
| Posted: Wed Jun 18, 2008 4:56 am Post subject: Well, thats a relief. |
|
|
Thank you for your time and help. Im glad to hear its nothing to worry about.
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
