|
Posted by bigot.charlot on June 6, 2006, 9:30 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I think I may have a rootkit.
Below is the result of the scan of a special rootkit revealer build. Can
someone tell me about it ?
HKLM\SOFTWARE\Classes\Installer\Products418F9EE1126B64A90E8365B85CFCF6\ProductName
19/10/2004 17:12 58 bytes Data mismatch between Windows API and raw hive
data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\? 09/10/2004 19:21
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\DisplayName
19/10/2004 17:13 58 bytes Data mismatch between Windows API and raw hive
data.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 06/06/2006 15:13 0
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg41 06/06/2006 15:13 0
bytes Hidden from Windows API.
SYSTEM 01/01/1601 02:00 0 bytes Error dumping hive: Internal error.
C:\System Volume
Information\_restore\RP512\A0131211.lnk
23/04/2006 19:07 839 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131212.lnk
02/06/2006 15:13 379 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131213.ini
06/06/2006 15:10 11.90 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131214.ini
06/06/2006 15:10 16.45 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131215.dir
06/06/2006 15:10 8.66 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131216.dir
06/06/2006 15:10 46 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131217.dir
06/06/2006 15:10 2 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\change.log
06/06/2006 15:18 15.92 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\change.log.1
06/06/2006 02:47 13.99 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\change.log.2
06/06/2006 15:12 36.72 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\RestorePointSize
05/06/2006 20:54 8 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\rp.log
05/06/2006 20:54 536 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SAM
05/06/2006 20:54 28.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SECURITY
05/06/2006 20:54 44.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SOFTWARE
05/06/2006 20:54 23.86 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SYSTEM
05/06/2006 20:54 4.74 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_.DEFAULT
05/06/2006 20:54 268.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
12/01/2005 15:06 256.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-854245398-1220945662-839522115-1003
05/06/2006 20:54 5.20 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-854245398-1220945662-839522115-1003
05/06/2006 20:54 24.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\ComDb.Dat
18/01/2005 14:18 22.79 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\domain.txt
05/06/2006 20:54 40 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository$WinMgmt.CFG
05/06/2006 12:50 20 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\INDEX.BTR
05/06/2006 12:50 1.62 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\INDEX.MAP
05/06/2006 20:54 872 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\MAPPING.VER
05/06/2006 20:54 4 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\MAPPING1.MAP
05/06/2006 20:46 4.87 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\MAPPING2.MAP
05/06/2006 20:54 4.87 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\OBJECTS.DATA
05/06/2006 12:50 7.96 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\OBJECTS.MAP
05/06/2006 20:54 4.02 KB Visible in Windows API, MFT, but not in directory
index.
C:\WINDOWS\_detmp.1 02/03/2005 21:34 78.39 KB Visible in directory index,
but not Windows API or MFT.
C:\WINDOWS\_detmp.2 30/08/2000 12:08 52.00 KB Visible in directory index,
but not Windows API or MFT.
C:\WINDOWS\Prefetch\ISUNINST.EXE-21B3FA6E.pf 06/06/2006 15:23 16.70 KB
Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4489B61B.pf 06/06/2006 15:22 45.02 KB
Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 06/06/2006 15:15
64.00 KB Visible in Windows API, MFT, but not in directory index.
|
|
Posted by Zoned on June 6, 2006, 10:59 am
If you were Registered and logged in, you could reply and use other advanced thread options
bigot.charlot wrote:
> Hi,
> I think I may have a rootkit.
> Below is the result of the scan of a special rootkit revealer build. Can
> someone tell me about it ?
>
Looks like a load of false positives!!!!
try other Antirootkit software from http://www.antirootkit.com
They will tell you more
good luck,
regards
Zoned
|
|
Posted by on June 6, 2006, 12:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Zoned wrote:
> bigot.charlot wrote:
> > Hi,
> > I think I may have a rootkit.
> > Below is the result of the scan of a special rootkit revealer build. Can
> > someone tell me about it ?
> >
>
> Looks like a load of false positives!!!!
Next thing you know, people will be dumping hijackthis logs here too.
:(
|
|
Posted by on June 6, 2006, 12:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
bigot.charlot wrote:
> Hi,
> I think I may have a rootkit.
> Below is the result of the scan of a special rootkit revealer build. Can
> someone tell me about it ?
>
[snip long logfile post]
Hey man, kindly stop posting that unless someone specifically asks you
to do so, This isn't setup for that... And it's rude :)
If someone wants to help you with the problem, take it to email. We
don't need to turn this place into another hijackthis landfill.
--
Regards,
Dustin Cook
http://bughunter.atspace.org
|
|
Posted by David H. Lipman on June 6, 2006, 5:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
|
| bigot.charlot wrote:
>> Hi,
>> I think I may have a rootkit.
>> Below is the result of the scan of a special rootkit revealer build. Can
>> someone tell me about it ?
>>
| [snip long logfile post]
|
| Hey man, kindly stop posting that unless someone specifically asks you
| to do so, This isn't setup for that... And it's rude :)
|
| If someone wants to help you with the problem, take it to email. We
| don't need to turn this place into another hijackthis landfill.
|
:-)
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
| Similar Threads | Posted | | WARNING: New Rootkit? | April 27, 2006, 12:35 pm |
| IceSword Rootkit Revealer | October 6, 2005, 2:01 pm |
| Norton Systemworks Rootkit | January 27, 2006, 3:14 pm |
| [ANN] AVG Anti-Rootkit Beta available | August 7, 2006, 12:42 pm |
| anti( MBR) rootkit that runs on win 98? | April 18, 2008, 8:57 am |
| Preventing rootkit.agent | December 18, 2008, 2:58 pm |
| RootKit Detection Tools and Utilities | January 5, 2007, 7:52 am |
|
XML site map