Rootkit on Sys #1 removed - Checking Sys #2

[vizion]

OK I thought I would double check after Bruce found the way to clear one of my systems from a new and nasty rootkit. So, on Bruce's recomendation I post HiJackThis for each system starting with the two that did not appear clean. This system is called Sleuth.

I would really appreciate it if someone could take a look at the logs. I know these damn trojans have a habit of infecting systems on the same network especially when, as in this case, there is extensive use of network shares. As we believe the infected machine is now clear one I would like to be reasonably sure about the others but Bruce's time is very precious and he needs to concentrate on other things.

Attached is the HiJack this log file from Sleuth.

This machine is sometimes extremely slow but I have no solid reason for believing it is infected. However it has a notification error after login:

Keyhook.exe - Entry point not found

The procedure entry point ? DDrawSupportGetDriverName@CSISEsc@@QAEHPADH@Z could not be located in the dynamic link library SiSApCom.dll

There are also notices ofthe following type in the event log:

Source Windows Search Service

Event ID 1015

Time 5:47:26 AM

Event ID 3013 for the Windows search service has been suppressed 100 times since

5:26:32 AM. This event is used to suppress Windows search events that have incurred frequently withinm a short period........

Event ID 3013

(NB the system is on drive E:\ not C:\)

The entry <E:\CONFIG.MSI\77DAE.RBF> in the hash map cannot be updated.

Context: Application, SystemIndexCatalog

Details

A device attached to the system is not functioning (0x8007001f)

I am sorry to say I know more about administering Unix systems than MS$ so am not certain what to do about this... if I were to rely on instinct alone I would say this is not a malware related problem -- but instincts need to be disabused from time to time!!! <chuckles>

Thanks

David

hijackthis_Sleuth.txt

hijackthis_Sleuth.txt

[AdvancedSetup]

Don't see anything obvious in the log to indicate an infection. The system has to be slow due to all the software currently installed and much of it set to run when the computer boots up.

See this link for the Keyhook error. Basically probably need to reinstall a driver for the system or repair it.

Super VGA Keyboard Daemon

I would do some computer maintenance and reduce the amount of programs that are in the startup.

[vizion]

Don't see anything obvious in the log to indicate an infection. The system has to be slow due to all the software currently installed and much of it set to run when the computer boots up.

See this link for the Keyhook error. Basically probably need to reinstall a driver for the system or repair it.

Super VGA Keyboard Daemon

I would do some computer maintenance and reduce the amount of programs that are in the startup.

Thanks very much for your observations - your point about start ups I felt to be very apt! Thank you.

However I wanted to tell you that unless I missed something I found the other link very disappointing. I felt you should be aware of this before providing the link it to someone else in similar circulstances.

That was because I only found that site using the "Keyhook error" as a label upon which to make strong pitch to purchase Registry mechanic. I found no information focussing the problem.

Maybe I missed something, in which case I apologise, but maybe you did not realise the site that does not really seem to offer solutions to problems but only uses the existence of known problems as a "Hook" to sell a product that may or may not fix the problem!!!.

I would caution other users about that site - whilst I am sure the product has genuine benefits and may be an excellent general registry tool (I actually have a licensed copy on one of my systems)-- however it does not really offer the ability to fix problems of this nature even though it uses the existence of any problem as an inducement to buy. Their website (however good their software may be) seems to me to be an example of poor marketing practices and I leave it with the feeling their administration is ethically challenged.

A site to be only recomended with caution would be my conclusion.

Thanks again

David

[AdvancedSetup]

Hi David,

Sorry for all the Advertising but not much I can do about it. This is a very well known site and they are the ones that host many other utilities to fight Malware. Running a Website though is not free and many use advertising to pay for the hosting costs.

If you wish to not see all that advertising then I'd suggest maybe using Firefox with the NoScript and AdBlock Plus add-ons, then you wouldn't see hardly any of that advertising. I've been using it so long I didn't even know there was that much advertising on the site. I had to use IE with no tools to see what you probably saw.

There was no real information on fixing it, just that it is potentially the cause of the error. I'm guessing that locating and installing the original software from the Manufacture may fix it.

Name: SiS Windows KeyHook

Filename: keyhook.exe

Command: C:\WINDOWS\system32\keyhook.exe

Description: SIS graphics cards related: "Super VGA Keyboard Daemon" - hooks into the keyboard processing chain in order to enable hotkey settings

File Location: C:\WINDOWS\system32\keyhook.exe

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.

HijackThis Category:

O4 Entry

.

[AdvancedSetup]

Since this does not appear to be a Malware threat I will close the topic now.