Inactive Slow Computer; instructions followed, reports attached.

broni · 2011/03/30

Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.

Double click RootRepeal.exe to start the program

Click on the Report tab at the bottom of the program window

Click the Scan button

In the Select Scan dialog, check:

[*]Drivers
[*]Files
[*]Processes
[*]SSDT
[*]Stealth Objects
[*]Hidden Services

Click the OK button

In the next dialog, select all drives showing

Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available

Click this and save the report to your Desktop as RootRepeal.txt

Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

macpez · 2011/04/01

Having a problem with RootRepeal. I cannot get the program to launch.

When I tried to open the file RootRepeal.exe it displayed the following message and froze: "Initializing, Please Wait. "

I tried this twice and both times I had to close the file with Task Manager, which said that the file wasn't responding. On the second try I waited almost 30 minutes before I closed the file. The second try was done with a different downloaded file.

Can you advise what steps to take. Also, is there another RootKit program I can use?
Thanks.

broni · 2011/04/01

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.

Click the Report tab, then click Scan.

Check Drivers, Stealth, and uncheck the rest.

Click OK.

Wait until it's finished and then go to File > Save Report.

Save the report to your Desktop.

Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".

macpez · 2011/04/03

The following happened when I ran RooKit Unhooker:

Program launched OK. I selected Report tab and clicked Scan. I checked Drivers and Stealth and unchecked the remaining items as instructed.

When I clicked on OK the computer stopped and the blue screen appeared with the following message: (I'm just listing the key parts of the message.)

"Normandy.sys problem. Page fault in nonpage area. "
"Normandy.sys - address B96AD125 Base @ B96A9000 Date Stamp 4bda55ez.

I restarted computer and relaunched Rootkit Unhooker. This time I only ran a Quick Report from the menu and then closed the program. I haven't tried to run the program since then.

I assume this indicates that I have a specific problem with a RootKit? I look forward to your response.

Below is the Quick report from RookKit Unhooker:

---------------------------------------------------------------------------------

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
ntoskrnl.exe-->NtConnectPort, Type: Address change 0x8059110B-->87144C08 [Unknown module filename]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x80574AA9-->8735C708 [Unknown module filename]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8059323B-->872EC960 [Unknown module filename]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805839B9-->EE46C620 [C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS]

----------------------------------------------------------------------------------
End of post.

broni · 2011/04/03

Well, at this point....

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck!

macpez · 2011/04/03

Thanks for all your help and time. I'll take your advice and post my "rootkit problem" in the Windows XP forum. If the problem turns out to be some type of malware problem, I'll let you know. Also, once I fix my problem, I plan to upgrade the programs you mentioned. Thanks again.

broni · 2011/04/03

Sure thing

Log in or Sign up

Inactive Slow Computer; instructions followed, reports attached.

broni Moderator Malware Analyst

macpez Inactive Thread Starter

broni Moderator Malware Analyst

macpez Inactive Thread Starter

broni Moderator Malware Analyst

macpez Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Slow Computer; instructions followed, reports attached.

broni Moderator Malware Analyst

macpez Inactive Thread Starter

broni Moderator Malware Analyst

macpez Inactive Thread Starter

broni Moderator Malware Analyst

macpez Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches