Stealth Items And Generic Rootkits, What To Do?

[flywelder]

I know little about removing rootkits and infections, I'm no expert, just a home owner with a desk top comp. running windows XP with service pack 3. I'm also very new user of Immunet3 having never used immunet before, and I need your help please.

My computer was acting up severely, and wouldn't install updates from windows. Unknown to me the computer was infected. I had microsoft essentials even! Thus I wasn't able to get the latest updates for XP. I dropped essentials and found immunet3 just a week ago. It found 53 infections! I have been trying to educate myself on my own about using immunet and properly setting it up and using it to remvoe infections and protect my computer. I have reached a point where I don't understand what to do or how to interpret the results from scans.

 

1) Last night I ran a rootkit scan plus, with Immunet3. Results indicate 31 stealth items were found! I don't know if these were quarentined, removed, corrected, or are still on the loose? Can you tell me?

 

2) I don't see a means to save the list of found stealth items to a txt file, is there a means to do so? So I can post the list here for experts to better help me.

 

examples of two of the stealth items is: AppData.folder.dat

and also : LocalAppData.folder.datmusic.folder.dat

 

3) Also, immunet3 reports that there are 4 generic rootkits it failed to quarentine. what do I do about these?...

they are: W32 generic hidden rootkit, in C : document and settings \biomed \ application data \real\ update\ upgrade helper\ realplayer \ 10.80

 

what little I know about root kits and infections , leads me to believe

The same kootkit is listed in these locations : temp ; upgrade helper; real player; and 10.80

 

mayday!

Thank you

[ritchie58]

Hi flywelder and welcome to the Immunet Forum. I would venture to guess the reason you're not getting any Windows updates is the fact that Microsoft has ended all support for XP earlier this month. This includes any further security updates. Here's a forum topic you might want to read. http://forum.immunet...-x-p-read-this/

 

Do you use any encryption or file/folder locking program to keep files hidden or to protect files? If so it is important to unencrypt or unlock any folders or files before you start a root-kit scan. Otherwise the detection engine will see these as hidden or stealth items and they will be quarantined. If you don't use any encryption/locking program than those detections very well may be genuine malware. In all likelyhood those stealth items were quarantined so if they are malware they are not a threat to your system now.

 

The detections for the RealPlayer may be False Positives on the other hand. Does your RealPlayer still launch and function normally since the detections?

 

I'm a little concerned about the RealPlayer possible FP detections so my advice would be to send in a Support Diagnostic Tool report to Support and have them take a look at Immunet's history data for you. I'ts fairly easy to send in a detailed SDT report and here is a FAQ topic to read up on the subject. http://forum.immunet...ic-tool-report/ All the file paths that were quarantined will be included in the 7zip file the tool creates to your Desktop. Also mention this topic you started in the Malware Removal section of the forum in your email.

 

It is possible to Delete (or Restore, if the files are legit) these stealth items from Quarantine but for now wait and see what Support has to say. If it's ok to delete or restore these items I'd be happy to give you detailed instuctions on how to do that.

 

Best wishes, Ritchie...

[flywelder]

Hi Ritchie,

I am not aware of any file or folder encrypting or locking program to be installed on the computer. and i looked in folder options and saw that the computer is set to NOT hide folders. So am I following you correctly? , help me to understand .

 

I'm am concerned that I have not heard from any one at 'support' yet with answers and a solution! .....I feel time is running out to seriously address and correct this infection...I hope they respond today..

All I have received is a confirmation that my request for their help was submitted and received by them.

[flywelder]

Ritchie,

Here are some logs from scans that might help you folks when helping me. and then again maybe they won't but I'm trying to make helping me, easy. by giving you folks a lot of info. Delete this if you think it should be seen by others beyond those of the bonded and trusted experts like your self at Immunet. thanks Ritchie. Oh and I forgot to answer your question about Real player. yes real player does appear to function properly.

 

RK { rogue killer} found issues I guess,as I'm no expert at interpreting the results from scans, and I don't completely understand the results or what to do now with the results. apparently there is or was registry or proxy or hosts issues and driver issues.

It found issues with immunet and I think short cuts . what ever it is I saw the report labeled them as false. Can you look at the logs and determine if they are false and instruct me on how to proceed?

checkup.txt4-29-2014.txt

RKreport0_D_04292014_091309.txt

RKreport0_H_04292014_091247.txt

RKreport0_S_04292014_091112.txt

RKreport0_S_04292014_091524.txt

[flywelder]

Ritchie forgive me for leaving you another message but I just thought of another question or two that I forgot to mention earlier.

 

1) I can not recall how to save to my desk top, a log report / scan report, from immunet, and do so as a txt file?

 

2) when I look at the immunet file history, I see several green check marks , and that I guess is good. But I also see both red pad locks and yellow exclamation marks. Ritchie, what do the red and yellow trying to alert me to? oddly enough these colors are beside the file names where supposedly the infections of the generic hidden root kits are.

3) so will these red and yellow "icons" ever turn to green check marks? if so , when?

4) how will I know that immunet has quarantined all threats and infections after there has been infections found?

5) should I be happy with all the new " safe files" immunet has installed on my computer.. when I really don't know what they are or for what web sites they are protecting me from etc?

 

Thank s Ritchie, I greatly appreciate your answers!

[flywelder]

Ritchie, I just ran another full scan. the results say clean but immunet is displaying a window which is informing me that it found 30 stealth items!... now 30! not 4 like before!??????

 

the really bad things that are irritating me so much right now are:

1) 14 days now after finding the first stealth items and still no answers from Immunet or the forum on what to do about them! and now I have 30!????

 

2nd) that the little immunet window informing me of the stealth items offers NO recourse, NO action buttons! to deal with the found stealth items. So what is a person to do today with 30 stealth items??

 

3) please some one tell me what is a stealth item any way?

 

I started out all gung ho for Immunet, singing praises of it to many.... now I'm about to turn coat!

 

Help Ritchie, Help Forum members, Help Immunet support staff! please, I beg of you!

[ritchie58]

Hello again, let me see if I can answer a few of your questions. I think this is something Support needs to address. There seems to be a sudden influx of users reporting the same thing. That is, the root-kit scan detecting stealth items when no other encryption software is being used. That's troublesome!

 

The easiest way to create a support dump is click on Start > All Programs > click on the Immunet 3.0 folder > click on the Support Diagnostic Tool. This creates a 7zip file to your Desktop.

 

A stealth item is a file that is hidden from the system which could potentially be a root-kit.

 

Not sure about the red padlock & exclamation marks showing on the GUI even though the green check marks are present. Do you have any screen capture software to document this? I use FoxArc Screen Capture freeware myself. http://www.foxarc.com/ It's not complicated to use and it's free!

 

I'm going to contact an Administrator for you to see if your case can be expidited. You need answers to your issue that I just can't provide.