cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 1

McAfee Rootkit Detective Scan Report Help

Hi,

I recently had a TDSS rootkit infection.  I originally used GMER and it detect a problem.  I tried running the McAfee Rootkit Detective and it reported something that seemed like a problem.  After spending some time searching on google, I ran tdsskiller and it found and cleans the problem.  GMER no longer reports any suspicious modifications.  I tried running McAfee Rootkit Detective again to verify its initial findings were also gone, but they still remain.  None of the original symptoms I was experiencing before seem to be happening now (random popups in Firefox, svchost accessing random IP addresses)

I would appreciate some help in interpreting the results of the McAfee Rootkit Detective scan.  Pasted below is the log:

Scan complete. Hidden registry keys/values: 1  
McAfee(R) Rootkit Detective 1.1 scan report
On 18-06-2010 at 13:22:50
OS-Version 5.1.2600
Service Pack 3.0
====================================

Object-Type: IAT/EAT-hook
PID: 464
Details: Import : Function  : VSCShellExtensionRes.dll:KERNEL32.dll!LoadLibraryA Should be : KERNEL32.dll:7C801D7B But is    : C:\WINDOWS\Explorer.EXE:000059D0
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 464
Details: Import : Function  : VSCShellExtensionRes.dll:KERNEL32.dll!TerminateProcess Should be : KERNEL32.dll:7C801E1A But is    : C:\WINDOWS\Explorer.EXE:0000572A
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Hooked

Object-Type: Process
Object-Name: explorer.exe
Pid: 464
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible

Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: wscntfy.exe
Pid: 2512
Object-Path: C:\WINDOWS\system32\wscntfy.exe
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 2636
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1396
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 840
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: MsMpEng.exe
Pid: 1088
Object-Path: C:\Program Files\Windows Defender\MsMpEng.exe
Status: Visible

Object-Type: Process
Object-Name: mdm.exe
Pid: 1584
Object-Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
Status: Visible

Object-Type: Process
Object-Name: wanmpsvc.exe
Pid: 1832
Object-Path: C:\WINDOWS\wanmpsvc.exe
Status: Visible

Object-Type: Process
Object-Name: HPZipm12.exe
Pid: 1616
Object-Path: C:\WINDOWS\System32\HPZipm12.exe
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: hpztsb12.exe
Pid: 1308
Object-Path: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
Status: Visible

Object-Type: Process
Object-Name: TeaTimer.exe
Pid: 1928
Object-Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Status: Visible

Object-Type: Process
Object-Name: AcroTray.exe
Pid: 1868
Object-Path: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 784
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: iTunesHelper.ex
Pid: 1684
Object-Path: C:\Program Files\iTunes\iTunesHelper.exe
Status: Visible

Object-Type: Process
Object-Name: Avsynmgr.exe
Pid: 1500
Object-Path: C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
Status: Visible

Object-Type: Process
Object-Name: cpd.exe
Pid: 756
Object-Path: C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
Status: Visible

Object-Type: Process
Object-Name: Avconsol.exe
Pid: 2368
Object-Path: C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
Status: Visible

Object-Type: Process
Object-Name: UAService7.exe
Pid: 1812
Object-Path: C:\WINDOWS\System32\UAService7.exe
Status: Visible

Object-Type: Process
Object-Name: umonit.exe
Pid: 1316
Object-Path: C:\WINDOWS\System32\umonit.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 3456
Object-Path: C:\Download\McafeeRootkitDetective\Rootkit_Detective.exe
Status: Visible

Object-Type: Process
Object-Name: iPodService.exe
Pid: 2372
Object-Path: C:\Program Files\iPod\bin\iPodService.exe
Status: Visible

Object-Type: Process
Object-Name: csrss.exe
Pid: 760
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1136
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: hpsysdrv.exe
Pid: 764
Object-Path: C:\windows\system\hpsysdrv.exe
Status: Visible

Object-Type: Process
Object-Name: VSStat.exe
Pid: 2252
Object-Path: C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1044
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 704
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 828
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1728
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: bgsvcgen.exe
Pid: 1512
Object-Path: C:\WINDOWS\System32\bgsvcgen.exe
Status: Visible

Object-Type: Process
Object-Name: cpd.exe
Pid: 272
Object-Path: C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
Status: Visible

Object-Type: Process
Object-Name: MSASCui.exe
Pid: 1760
Object-Path: C:\Program Files\Windows Defender\MSASCui.exe
Status: Visible

Object-Type: Process
Object-Name: CMGrdian.exe
Pid: 1420
Object-Path: C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
Status: Visible

Object-Type: Process
Object-Name: KBD.EXE
Pid: 956
Object-Path: C:\HP\KBD\KBD.EXE
Status: Visible

Object-Type: Process
Object-Name: mixer.exe
Pid: 1576
Object-Path: C:\WINDOWS\Mixer.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 988
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1268
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: wdfmgr.exe
Pid: 1764
Object-Path: C:\WINDOWS\System32\wdfmgr.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1176
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: ezSP_Px.exe
Pid: 1672
Object-Path: C:\WINDOWS\System32\ezSP_Px.exe
Status: Visible

Scan complete. No hidden processes/files found.
Total files scanned: 266137

Thanks again in advance for any assistance!

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community