Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 8:18pm
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   Scanning For Rootkits With Trojanhunter		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Scanning For Rootkits With Trojanhunter  (Read 376 times)
_writer
Newbie
*






   
WWW  

Gender: male
 Posts: 4
Scanning For Rootkits With Trojanhunter
« on: Jun 30th, 2008, 12:43pm »		 Quote Quote  Modify Modify
Dear TH Forum Members & Admin,
 
Thanks for including this useful forum so new users can ask questions. I've had a good look throught FAQs and did a forum search for "rootkit scanning" without success, so I'll post a question here and check back regularly.  
 
Okay.. Here goes:
 
I downloaded Trojanhunter 4.0 Evaluation Copy (Build 890) from Castlecops and installed it. On Castlecops the article writer mentions one can scan for rootkits with TH even on a Windows 98 SE machine.  
 
Here's what Castlecops recommend:
 
"Open the TrojanHunter scanner and click on the Trojan icon on the left side, then do a search for "rootkit" and you will see the list of rootkits that it detects and removes."
 
So, I followed those steps but I cannot see any option for "scanning rootkits" - Any advice welcome.  
 
Kind Regards, Writer.
 
PS: My reasons for testing TH were twofold. 1: TH still supports Windows 98 SE. 2: I think I may have a rootkit due to these suspicious files on my PC:  
 
eSellerateControl350.dll  
eSellerateEngine.dll  
 
Symantec report these files as being "medium risk" on their website - associating the above files with a program called TrueSword.exe. Since I cant find traces of "Truesword" on my system I'm not sure why those two dlls above are on my hard-drive.  
 
After a full scan with TH, these files arent being flagged as a trojan, though I cannot be sure "how" TH scans for rootkits at this point. (Hence my posting).  
 
Does Trojanhunter have different ways of scanning one's hard-drive, depending on which "Trojan Detection Rules" are selected, please?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Scanning For Rootkits With Trojanhunter
« Reply #1 on: Jun 30th, 2008, 2:38pm »		 Quote Quote  Modify Modify
Welcome to the forum _writer,  Cheesy
 
TrojanHunter does scan for a number of rootkits.  
 
First, the version of TrojanHunter that you downloaded/installed is very old.  In fact, the current detection rules cannot be used by this old version.  I recommend the following:
 
1.  Uninstall the version of TrojanHunter that you have on your computer.  Be sure to unload/exit THGuard.exe before uninstalling.  
 
2.  Download/install the Trial Version of TrojanHunter (V5.0.962).  The download link is below:
 
http://www.misec.net/products/TrojanHunterSetup.exe
 
3.  Once you get the newest version installed, please go to the link below and download/install the latest rulesets.  (The Trial version does not have the normal LiveUpdate activated).  New rulesets are issued daily.  
 
http://www.misec.net/trojanhunter/updating/
 
4.  Then reboot your computer into SAFE MODE.  The link below explains how to reboot into SAFE MODE.
 
http://support.microsoft.com/kb/180902
 
5.  Run a FULL SCAN of your computer with TrojanHunter.  Let it quarantine what it finds.
 
6.  Reboot back into Normal Mode.  
 
7.  Post back here the TrojanHunter scan log.  It is located in folder Scan Reports at C:\Program Files\TrojanHunter 5.0\Scan Reports.
 
NOTE:
 
I don't think the two files below are from a rootkit.  They may be adware/spyware.  Let's see if the latest rulesets of TrojanHunter detects them during your scan in SAFE MODE.
 
eSellerateControl350.dll  
eSellerateEngine.dll  
 
Do you have a program named netchatspy on your computer?
« Last Edit: Jun 30th, 2008, 3:07pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
_writer
Newbie
*






   
WWW  

Gender: male
 Posts: 4
Scanning For Rootkits - Update From Writer
« Reply #2 on: Jul 1st, 2008, 4:49pm »		 Quote Quote  Modify Modify
Dear Silicon Man & TH Forum Members,
 
Thankyou for responding so quickly - I am impressed Trojanhunter 5.0 (Build 962) still supports Windows 98 SE (Many companies dont bother developing new builds for this o/s platform).  
 
I noticed the interface for TH 5.0 is different when one clicks "Trojans Button" - Instead of clicking different Trojan Detection Rules, there is a "details" button which shows all loaded rule files - It wasnt clear which rules were being used for scanning in TH 4.0; TH 5.0's interface has corrected this issue.
 
Okay... I followed your instructions carefully ...
 
In SAFE MODE, I performed a full scan with the Updated Rules:
 
+-- General ---
Ruleset datestamp : 2008-06-30
Scan kernel     : 5.0 (Aurelius)
Ruleset entries      : 178652
Trojan definitions   : 68041
Detection rules      : 178652
 
During the scan I got this error message from TH 5.0:
 
"Error: Unable to perform port check: PortChecker not initialized"
 
After the fullscan I checked in directory:
 
C:\Program Files\TrojanHunter 5.0\Scan Reports
 
No log file had been generated. (Please note, my windows file settings are set to show "all files" )  
 
TH 5.0 indicated: No Trojans Detected.  
 
Silicon Man asked:
 
"Do you have a program named netchatspy on your computer?"
 
I performed a windows file manager search for a program called netchatspy.exe - There do not appear to be any instances of this program on my system. If this program manifests itself in other ways (such as dlls) I would be pleased to know.  
 
I left the suspicious files on my hard-drive before I scanned:
 
eSellerateControl350.dll  
eSellerateEngine.dll  
 
TH 5.0 does not flag them as adware/malware.
 
Since Silicon Man and Symantec mention these files are/or may be associated with Malware, I will remove them manually and run a Registry Cleaner. As far as I can tell, they are not part of Microsoft's system files, or associated with legitimate software on my system.  
 
Appreciate your support.
 
Kind Regards, writer.  
 
PS: I have a section on my website which reviews AV products (to improve the online experience for my readers).  
 
Since TH 5.0 still supports Win98, loads/scans fast, supplies updated rules, had a fast download server and has a responsive forum, I will be posting a favourable review of this product, subject to the software company's permission.
 
I have noticed a review section here, too. A very good idea users/readers always appreciate.
« Last Edit: Jul 1st, 2008, 4:56pm by _writer » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Scanning For Rootkits With Trojanhunter
« Reply #3 on: Jul 6th, 2008, 1:11am »		 Quote Quote  Modify Modify
_writer,
 
My apologies for somehow missing your followup post.  I must have been asleep at the switch when scanning the forum for new posts. Embarassed
 
Would you please submit the following files to Mischel Internet Security for analysis.  The link below describes how to submit.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Files to submit:
 
eSellerateControl350.dll  
eSellerateEngine.dll  
 
Gavin or Magnus will get back to you as to whether these two files are malicious.  If you have not heard back within 2 days, please post back here.  
 
Note:  The error below is from not having an internet connection during the scan while in SAFE MODE.
 
Quote:
"Error: Unable to perform port check: PortChecker not initialized"
« Last Edit: Jul 6th, 2008, 1:14am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
_writer
Newbie
*






   
WWW  

Gender: male
 Posts: 4
Scanning For Rootkits With Trojanhunter- Update
« Reply #4 on: Jul 7th, 2008, 11:45am »		 Quote Quote  Modify Modify
Dear Silicon Man & TH Forum Readers,
 
I wasn't expecting more followup, Silicon Man! (Although I selected "Notify Of Replies" just in case). The fact you are being so thorough with more followup is very impressive!
 
It's pretty reassuring to know TrojanHunter staff can "analyze" suspect files, I cant remember this service being mentioned via other AV Forums/Products.
 
Okay, first thing's first:  
 
I zipped the files (or rather file) I feel is suspicious. I prefer using WinRAR for zipping, since that's the easiest way I've found to create password "archives" (zip files).  
 
Hope WinRAR is acceptable? (I havent used other winzip utilities for years).  
 
I say "file" because eSellerateControl350.dll has mysteriously vanished off my hard drive! (I believe this can happen with rootkits - files morphing and changing - although I am not a Rootkit Expert).
 
I traced  eSellerateEngine.dll to a directory on my PC. It appears to part of a legitimate program downloaded somewhile ago when I was developing my website.  
 
The program that contains eSellerateEngine.dll is called CSE HTML Validator (CSELite70.exe) - Since CSE appear to be a legitimate software developer, I will be attempting to contact them about their inclusion of "eSellerateEngine.dll" and why it generates files (eSellerateControl350.dll) that suddenly vanish from my PC.
 
Out of curiosity, I selected File Properties, Version Tab to discover the origins of eSellerateEngine.dll (A good way to discover if a file is part of Microsoft family, or other well-established company). The company who make eSellerateEngine.dll do clearly state who they are:  
 
eSellerate Inc.
 
I checked on the web to see if eSellerate Inc have their own website. They do - But I found the way they presented the site very confusing. No clear contact details, no clear details about what their product does and who uses it. (It doesnt appear to be geared towards "ordinary computer users").  
 
Rather it looks like some kind of eCommerce Solution for businesses - Adware?
 
I'll be very interested to read what TrojanHunter Team make of this file - The bottom line being I didnt give express permission to be part of an "eCommerce Solution". This kind of sales tactic, in fact, causes worry for PC Users, since the process of download and installation isnt transparent. (In other words, users cant be sure if they have a PC virus/trojan or not!)
 
Hope you'll be able to post your analysis on the forum for all members, Silicon Man - I'm sending your team my passworded zip file now. . .
 
Kind Regards, _writer
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Scanning For Rootkits With Trojanhunter
« Reply #5 on: Jul 7th, 2008, 2:49pm »		 Quote Quote  Modify Modify
Thanks for your submittal of esellerateengine.dll.  Yes, WinRar is okay for submissions.  Gavin/Magnus will analyze and respond accordingly.  
 
I did find one webpage that is calling it spyware.  The link below shows it as malicious.  That does not necessarily mean that it is malicious on your machine, however.  As you know, files with the same name often come in different flavors.   Wink
 
http://www.dllspyware.com/spyware-dll.php/esellerateengine.dll/error.htm l
 
Did you check the Quarantine folder of Norton to see if eSellerateControl350.dll was snagged by Norton?
 
Would you please post a scan log using Hijackthis.  I would like to see if anything looks suspicious via Hijackthis.  Please do the following.
 
1.  Create a folder under C:\Program Files and name the folder Hijackthis.  (C:\Program Files\Hijackthis)
 
2.  Go to the link below and download Hijackthis.  Save it in the folder Hijackthis at C:\Program Files\Hijackthis.  
 
NOTE:  Download version 1.99.1 because the TrendMicro version does not seem to run properly on Windows 98/ME
 
http://www.majorgeeks.com/download.php?det=3155
 
3.  Once you get the program downloaded, execute it.  Run a Scan and Save Log.  Copy/Paste the log back here.  Please do not try to fix anything via Hijackthis until I have had a chance to examine the log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
_writer
Newbie
*






   
WWW  

Gender: male
 Posts: 4
Scanning For Rootkits With Trojanhunter- Update 2
« Reply #6 on: Jul 8th, 2008, 2:34pm »		 Quote Quote  Modify Modify
Dear Silicon Man & TH Forum Readers,
 
Hmm. . . Well, TH File Analyzing Team kindly emailed me back today. They indicate eSellerateEngine.dll is not adware. Instead, it appears to be used "to help" legitimate software companies.
 
In what way software companies are being "helped" by this file isn't clear to me! Any advice welcome.  
 
Thanks for the link to dllspyware - It made interesting reading. I dont use MS IE browser much, although its installed on my system. To be fair to Symantec, they mention eSellerateEngine *can* be associated with malware, rather than dllspyware mentioning it *is* malware.
 
Personally, I dont like the idea of any software "monitoring" my website visits - Who would?  
 
If there was an easy way to get intouch with eSellerate Inc, I'd try to clarify what their program really does. But their website just doesnt seem geared for direct communication (Something I find alittle odd).  
 
Anyway, the upshot of all this is eSellerateEngine seems a controversial file. . .  
 
So, heres the HJT Log (I already had a version on my PC)  
Cant see much wrong with it myself, although an expert eye is appreciated.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:46 PM, on 7/8/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIEBHO.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMIECC.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEExt.htm
O8 - Extra context menu item: Download all links with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEGetVL.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5316/mcfscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL
 
--
End of file - 6949 bytes
 
 
Kind Regards, _writer
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Scanning For Rootkits With Trojanhunter
« Reply #7 on: Jul 8th, 2008, 10:33pm »		 Quote Quote  Modify Modify
Your Hijackthis log is clean.  There is one minor housekeeping item that you may wish to correct.
 
1.  Run a HJT scan.
 
2.  When the scan is completed, place a checkmark in the box next to the following item.  BE SURE it is the only item checked.
 
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
 
3.  Close your browser.
 
4.  Click on Fix Checked located at the lower left corner of the HJT.  Confirm that you want HJT to fix the item and allow it to fix.
 
5.  Close HJT.
 
I'm not sure what else to add concerning eSellerateEngine.  It is benign software on your system.   Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register