Interpretation of NOD32/RootkitRevealer Scan Results

Interpretation of NOD32/RootkitRevealer Scan Results
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Interpretation of NOD32/RootkitRevealer Scan Results Dick K 02-02-2007
Posted by Dick K on February 2, 2007, 9:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
This is a multi-part message in MIME format.
--------------020906040902030707090006
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Scans of my XP MCE system with RootkitRevealer and NOD32 (In
Safe Mode) yielded reports which I would normally dismiss as
insignificant. However I've just had a credit card compromised
so I'd be grateful if someone could cast a more expert eye over
the logs and offer an opinion as to of whether there's anything
which merits further investigation? The system scanned clean with
up-to-date versions of Spyware Doctor, Spybot Search and Destroy
and Ad-Aware SE Personal (all in Safe Mode).

I've attached .txt versions of the log files. I hope that's
acceptable?

--------------020906040902030707090006
Content-Type: text/plain;
name="RR.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="RR.txt"

HKLM\SOFTWARE\Eset\Nod\CurrentVersion\Scheduler\Timestamp        02/02/2007 09:45        4
bytes        Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Eset\Nod\CurrentVersion\Scheduler\LastExec        30/01/2007 11:37        4
bytes        Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed        02/02/2007 12:21        80 bytes        Data
mismatch between Windows API and raw hive data.


--------------020906040902030707090006
Content-Type: text/plain;
name="NOD32.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="NOD32.txt"

Scanning Log
NOD32 version 2029 (20070202) NT
Checking CRC of NOD32.EXE: Status OK
Error occurred while scanning operating memory. System memory cannot be scanned
(the kernel service is not running or an error occurred while loading
nod32m1.vxd).
Date: 2.2.2007 Time: 11:32:07
Scanned disks, folders and files: C:; D:
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\Admin Account\ntuser.dat - error opening (File locked)
[4]
C:\Documents and Settings\Admin Account\NTUSER.DAT.LOG - error opening (File
locked) [4]
C:\Documents and Settings\Admin Account\Application
Data\SecuROM\UserData\???????????p????????? - error opening [4]
C:\Documents and Settings\Admin Account\Application
Data\SecuROM\UserData\???????????p????????? - error opening [4]
C:\Documents and Settings\Admin Account\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Admin Account\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Limited Account\Application
Data\SecuROM\UserData\???????????p????????? - error opening [4]
C:\Documents and Settings\Limited Account\Application
Data\SecuROM\UserData\???????????p????????? - error opening [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File
locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG - error opening (File
locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening
(Access denied) [4]
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
D:\System Volume Information\MountPointManagerRemoteDatabase - error opening
(Access denied) [4]
Number of scanned files: 66413
Number of threats found: 0
Time of completion: 11:53:36 Total scanning time: 1289 sec (00:21:29)
Notes:
[4] File cannot be opened. It may be in use by another application or operating
system.
--------------020906040902030707090006--

Posted by David H. Lipman on February 2, 2007, 4:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Scans of my XP MCE system with RootkitRevealer and NOD32 (In
| Safe Mode) yielded reports which I would normally dismiss as
| insignificant. However I've just had a credit card compromised
| so I'd be grateful if someone could cast a more expert eye over
| the logs and offer an opinion as to of whether there's anything
| which merits further investigation? The system scanned clean with
| up-to-date versions of Spyware Doctor, Spybot Search and Destroy
| and Ad-Aware SE Personal (all in Safe Mode).
|
| I've attached .txt versions of the log files. I hope that's
| acceptable?

It is acceptable to attach those logs here.

Before responding, I must aks why you ran these RootKit scanners to begin with.
Was there a
reason ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Dick K on February 2, 2007, 5:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
David H. Lipman wrote:

>
> Before responding, I must aks why you ran these RootKit scanners to begin
with. Was there a
> reason ?
>
I wanted to reassure myself that it was unlikely that
my credit card details had leaked via a keylogger or other
malware so I ran all the scans I had available. Other
than the leak, which could have occurred in a a myriad of
ways unconnected with the computer, I had no reason to
suspect a malware problem - certainly I've not seen any
anomalous system behaviour.

Since my initial post I've run Symantec's on-line virus
scan in normal mode and it came up clean.

Posted by David H. Lipman on February 2, 2007, 5:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| David H. Lipman wrote:
|
>> Before responding, I must aks why you ran these RootKit scanners to begin
with. Was
>> there a reason ?
>>
| I wanted to reassure myself that it was unlikely that
| my credit card details had leaked via a keylogger or other
| malware so I ran all the scans I had available. Other
| than the leak, which could have occurred in a a myriad of
| ways unconnected with the computer, I had no reason to
| suspect a malware problem - certainly I've not seen any
| anomalous system behaviour.
|
| Since my initial post I've run Symantec's on-line virus
| scan in normal mode and it came up clean.

That's what I thought. RootKit scanners are not like anti malware scanners.
They should
NOT be used unless you specifically have believe that you are indeed infected by
a RootKit.

Both logs looked OK but the following was "interesting"....
C:\Documents and Settings\Admin Account\Application
Data\SecuROM\UserData\???????????p?????????

What is "SecuROM" ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Sharon Franks on February 2, 2007, 5:50 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
http://en.wikipedia.org/wiki/SecuROM

--

Sharon Franks
MCC group
Microsoft Certified Solutions Developer (MCSD)
Microsoft Certified Trainer (MCT).



>
> | David H. Lipman wrote:
> |
>>> Before responding, I must aks why you ran these RootKit scanners to
>>> begin with. Was
>>> there a reason ?
>>>
> | I wanted to reassure myself that it was unlikely that
> | my credit card details had leaked via a keylogger or other
> | malware so I ran all the scans I had available. Other
> | than the leak, which could have occurred in a a myriad of
> | ways unconnected with the computer, I had no reason to
> | suspect a malware problem - certainly I've not seen any
> | anomalous system behaviour.
> |
> | Since my initial post I've run Symantec's on-line virus
> | scan in normal mode and it came up clean.
>
> That's what I thought. RootKit scanners are not like anti malware
> scanners. They should
> NOT be used unless you specifically have believe that you are indeed
> infected by a RootKit.
>
> Both logs looked OK but the following was "interesting"....
> C:\Documents and Settings\Admin Account\Application
> Data\SecuROM\UserData\???????????p?????????
>
> What is "SecuROM" ?
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>



Similar ThreadsPosted
Spybot Scan Results Question August 16, 2005, 11:19 am
Answer results and a question January 17, 2006, 11:57 am
Spybot results .... Windows Security Center August 11, 2005, 9:30 am
Toolbar / Ad/ware installer...opinions on VirusTotal CLS results please :-) October 11, 2007, 8:31 am
toolbar / ad / ware installer...opinions on VirusTotal CLS's results pelase :-) ? October 11, 2007, 8:37 am
Can't run online scan November 19, 2005, 3:46 pm
GMER Scan. September 21, 2008, 8:30 pm
PC shuts off on Virus Scan September 23, 2005, 7:22 pm
AV scan an NTFS drive in DOS January 8, 2006, 4:32 pm
Turning Off the NAV 2006 Scan` March 6, 2006, 10:53 pm

The site map in XML format XML site map

Contact Us | Privacy Policy