An Error Occurred In Cmd.exe That Prevents Rootkitrevealer
List Welcome Guide More BleepingComputer.com → Security → Am I infected? What do I do? Javascript Disabled Detected You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality. Register a free account to unlock additional features at BleepingComputer.com Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site. Click here to Register a free account now! or read our Welcome Guide to learn how to use this site. Rootkit Revealer Says Error In Cmd.exe Started by jerryc , Oct 22 2007 09:18 PM Please log in to reply 1 reply to this topic #1 jerryc jerryc Members 91 posts OFFLINE Local time:01:58 AM Posted 22 October 2007 - 09:18 PM XP Pro, fully updated, Trend Micro, Spywareblaster, Adaware, A2, all show no current problems. did get a keylogger a few months ago, which was so severe it shut off Trend. All seems pretty well with that now, but sometimes I think there still may be some issue there as occasionally the keys seem slow, or double strike. I just ran Rootkit Revealer and got the title message, that "there's an error in cmd.exe which prevents RR from accurately analyzing the system." These below are the first 5 lines that were captured before it quit. The first two are from April, the rest are today. There were many more lines, all of which were Temp Int Files which I have since deleted, but I have not yet rescanned. HKLM\SECURITY\Policy\Secrets\SAC* 4/24/2007 3:41 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 4/24/2007 3:41 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\TotalScanned 10/22/2007 3:37 PM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\LastScannedFileName 10/22/2007 3:37 PM 49 byte
Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways to Get Help Ask a Question Ask for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job https://www.experts-exchange.com/questions/22770989/spooldr-sys.html Ways to Get Help Expand Search Submit Close Search Login Join Today Products BackProducts https://blogs.technet.microsoft.com/markrussinovich/2005/03/22/updated-rootkitrevealer/ Gigs Live Careers Vendor Services Groups Website Testing Store Headlines Experts Exchange > Questions > spooldr.sys Want to Advertise Here? Solved spooldr.sys Posted on 2007-08-17 Anti-Virus Apps Windows XP 1 Verified Solution 36 Comments 3,876 Views Last Modified: 2013-11-22 I have an interesting situation. A client called and told me that her computer wouldn't an error shut down. Actually, it would shut down but then it would immediately reboot. I reset the machine so it would not restart after an error which caused me to get the infamous blue screen of death with the "PAGE_FAULT_IN_NONPAGED_AREA" error message. The STOP error was 0x00000050. I tried to do a system restore but was unable to because there was an update to Adobe Reader the day an error occurred I picked. I changed the settings back so that she could at least use her computer until I could get back to it. When I returned she told me that the machine now would boot to the desktop and then restart itself. I treid several times to start it normally with no success. Then I started the machine in Safe Mode and everything seemed to work except for her mouse. (It is not a PS/2 or USB but a parallel port mouse). I returned to the Advanced Options screen and chose "Disable Auto Restart on System Fail." This gave me a blue screen when the computer tried to restart. The error message was "The Problem seems to be caused by the following file - spooldr.sys." Again I had the "PAGE_FAULT_IN_NONPAGED_AREA" error message. the technical information was Address - F89C29BD, base at F89C1000, Date Stamp - 469e788d. STOP 0x00000050(0x00000000, 0xF89B69BD, 0x00000002). The maouse also will not work in Debugging mode. From what I can tell spooldr.sys is a rootkit. With all I have mentioned above, how can I get rid of it. Thanks! Robert 0 Question by:RobertEhinger Facebook Twitter LinkedIn Google LVL 47 Best Solution byrpggamergirl If you can, please run S
22, 20051 0 0 0 Yesterday we released RootkitRevealer v1.30. This release is in direct response to Microsoft Product Support Services (PSS) discovering actual installations of the Hacker Defender rootkit on customer systems that target RootkitRevealer.RootkitRevealer works by comparing a high-level scan of the system via the Windows API with a low-level direct scan of file system and Registry on-disk structures. Rootkits that cloak by modifying a system view at any level above the on-disk structures will be visible as discrepancies between the two scans - that is, if their cloaking is active.Hacker Defender's installation includes a configuration file where a malware author specifies the files, drivers, services, and other items that should be cloaked. The configuration file also includes a section where ‘root’ processes are specified. A Hacker Defender root process is one that Hacker Defender allows to see an unmodified system view. Microsoft PSS found that RootkitRevealer wasn’t detecting discrepancies on some customer that they verified had Hacker Defender installations. Their investigation revealed that the RootkitRevealer had been added to the ‘root’ process section of the configuration file. Thus, RootkitRevealer’s two scans showed no differences.To defeat this Microsoft started renaming RootkitRevealer’s executable before a scan. Bryce and I decided that many users would likely not know to do this and requiring a manual rename is inconvenient, so we modified RootkitRevealer to perform the rename automatically. When you execute RootkitRevealer it makes a copy of itself in WindowsSystem32 with a randomly-generated name. It then installs that copy as a Windows service that displays its UI on the console desktop and cleans up the service installation when the scan is complete. Since this approach doesn’t work well with a command-line executable we added command-line options for automatic scanning and logging to a file.Is this the last modification we’ll have to make? Not likely. This was an easy attack since it required no modification of Hacker Defender, but more sophisticated attacks are possible where a rootkit can detect a scan of RootkitRevealer in other ways, like version information or behavior analysis, and disable cloaking so as no