|
Posted by Tim Walters on July 2, 2006, 11:30 am
If you were Registered and logged in, you could reply and use other advanced thread options
I ran a RootkitRevealer scan yesterday, and there were 4000+ discrepancies.
I then put down a fresh installation of W2K (dual booting) on a different
drive, and ran a virus check. A Kak.worm was found but it didn't detect any
rootkit. I then rebooted under my main installation, and ran RootkitRevealer
again. There are 4243 discrepancies. Here are a few samples taken from the
scan report. (The same sampling is also adjoined because opened in Notepad
each entry has its own line.)
Can anyone say if this is evidence of a rootkit? And what can I do to get
rid of these discrepancies?
Thanks, Tim
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions02\Filename 2/21/2004 2:50 AM 11 bytes Data
mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions02\Description 2/21/2004 2:50 AM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions03\Filename 2/21/2004 2:51 AM 11 bytes Data
mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions03\Description 2/21/2004 2:51 AM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions04\Filename 2/21/2004 10:59 PM 11 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions04\Description 2/21/2004 10:59 PM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions05\Filename 2/22/2004 7:13 AM 11 bytes Data
mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions05\Description 2/22/2004 7:13 AM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions06\Filename 3/16/2004 11:09 PM 11 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions06\Description 3/16/2004 11:09 PM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions07\Filename 4/8/2004 7:58 AM 11 bytes Data
mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions07\Description 4/8/2004 7:58 AM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions08\Filename 4/8/2004 7:59 AM 11 bytes Data
mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions08\Description 4/8/2004 7:59 AM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions09\Filename 6/18/2004 11:59 PM 11 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions09\Description 6/18/2004 11:59 PM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions10\Filename 7/12/2004 2:47 PM 11 bytes Data
mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions10\Description 7/12/2004 2:47 PM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions11\Filename 9/20/2005 11:38 PM 11 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions11\Description 9/20/2005 11:38 PM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions12\Filename 2/16/2006 11:57 PM 11 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions12\Description 2/16/2006 11:57 PM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions13\Filename 2/17/2006 12:07 AM 11 bytes
Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-776561741-343818398-682003330-500\Control Panel\Microsoft
Input Devices\Mouse\Exceptions13\Description 2/17/2006 12:07 AM 25 bytes
Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\\Pins\Inpu
t\Types\ 2/17/2006 12:07 AM 91
bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\\Pins\Inpu
t\Types\ 2/17/2006 12:07 AM 91
bytes Data mismatch between Windows API and raw hive data.
C:\RECYCLER\NPROTECT 7/2/2006 4:29 PM 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT255032.xml 7/2/2006 5:19 AM 336 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255033.txt 7/2/2006 5:19 AM 3.98 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255034.swf 7/2/2006 5:19 AM 261 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255035.swf 7/2/2006 5:19 AM 7.12 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255036.swf 7/2/2006 5:19 AM 299 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255037.htm 7/2/2006 5:19 AM 2.79 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255038.htm 7/2/2006 5:19 AM 343 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255039.xml 7/2/2006 5:19 AM 11.94 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255040.xml 7/2/2006 5:21 AM 11.94 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255041.xml 7/2/2006 5:23 AM 11.94 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255042.xml 7/2/2006 5:25 AM 11.94 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255043.xml 7/2/2006 5:27 AM 11.94 KB Hidden from
Windows API.
C:\RECYCLER\NPROTECT255423.gif 7/2/2006 9:24 AM 43 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255423.gif:
7/2/2006 9:24 AM 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT255424.gif 7/2/2006 9:24 AM 43 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255424.gif:
7/2/2006 9:24 AM 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT255425.gif 7/2/2006 9:24 AM 35 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255425.gif:
7/2/2006 9:24 AM 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT255426.gif 7/2/2006 9:24 AM 35 bytes Hidden from
Windows API.
C:\RECYCLER\NPROTECT255426.gif:
7/2/2006 9:24 AM 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT257817 7/2/2006 3:58 PM 168.00 KB Hidden from Windows
API.
C:\RECYCLER\NPROTECT257818 7/2/2006 3:58 PM 2.85 MB Hidden from Windows
API.
C:\RECYCLER\NPROTECT257819 7/2/2006 3:58 PM 108.00 KB Hidden from Windows
API.
C:\RECYCLER\NPROTECT257820 7/2/2006 3:58 PM 60.00 KB Hidden from Windows
API.
C:\RECYCLER\NPROTECT257821 7/2/2006 3:58 PM 20.00 KB Hidden from Windows
API.
C:\RECYCLER\NPROTECT257822 7/2/2006 3:58 PM 22.05 MB Hidden from Windows
API.
C:\RECYCLER\NPROTECT257823 7/2/2006 3:58 PM 5.12 MB Hidden from Windows
API.
H:\RECYCLER\NPROTECT013301.WPD 7/1/2006 1:10 AM 6.03 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013302.WPD 7/1/2006 1:10 AM 22.50 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013303.wpd 7/1/2006 1:10 AM 17.00 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013304 7/1/2006 1:10 AM 43.86 KB Hidden from Windows
API.
H:\RECYCLER\NPROTECT013305 7/1/2006 1:10 AM 14.00 KB Hidden from Windows
API.
H:\RECYCLER\NPROTECT013306 7/1/2006 1:10 AM 11.47 KB Hidden from Windows
API.
H:\RECYCLER\NPROTECT013307 7/1/2006 1:10 AM 16.51 KB Hidden from Windows
API.
H:\RECYCLER\NPROTECT013353.exe 7/1/2006 1:10 AM 6.04 MB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013354.dll 7/1/2006 1:10 AM 159.27 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013355.ZIP 7/1/2006 1:10 AM 3.22 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013356.ZIP 7/1/2006 1:10 AM 53.84 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013357.ZIP 7/1/2006 1:10 AM 27.00 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013358.ZIP 7/1/2006 1:10 AM 23.00 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT013359.ZIP 7/1/2006 1:10 AM 16.42 KB Hidden from
Windows API.
H:\RECYCLER\NPROTECT\NPROTECT.LOG 7/2/2006 9:25 AM 631.38 KB Hidden from
Windows API.
begin 666 RootkitReveal Scan results 060702 abbrev.txt
M2$M,35Q3+3$M-2TR,2TW-S8U-C$W-#$M,S0S.#$X,SDX+38X,C P,S,S,"TU
M,#!<0V]N=')O;"!086YE;%Q-:6-R;W-O9G0@26YP=70@1&5V:6-E<UQ-;W5S
M95Q%>&-E<'1I;VYS7#$P,#)<1FEL96YA;64),B\R,2\R,# T(#(Z-3 @04T)
M,3$@8GET97,)1&%T82!M:7-M871C:"!B971W965N(%=I;F1O=W,@05!)(&%N
M9"!R87<@:&EV92!D871A+@T*2$M,35Q3+3$M-2TR,2TW-S8U-C$W-#$M,S0S
M.#$X,SDX+38X,C P,S,S,"TU,#!<0V]N=')O;"!086YE;%Q-:6-R;W-O9G0@
M26YP=70@1&5V:6-E<UQ-;W5S95Q%>&-E<'1I;VYS7#$P,#)<1&5S8W)I<'1I
M;VX),B\R,2\R,# T(#(Z-3 @04T),C4@8GET97,)1&%T82!M:7-M871C:"!B
M971W965N(%=I;F1O=W,@05!)(&%N9"!R87<@:&EV92!D871A+@T*2$M,35Q3
M+3$M-2TR,2TW-S8U-C$W-#$M,S0S.#$X,SDX+38X,C P,S,S,"TU,#!<0V]N
M=')O;"!086YE;%Q-:6-R;W-O9G0@26YP=70@1&5V:6-E<UQ-;W5S95Q%>&-E
M<'1I;VYS7#$P,#-<1FEL96YA;64),B\R,2\R,# T(#(Z-3$@04T),3$@8GET
M97,)1&%T82!M:7-M871C:"!B971W965N(%=I;F1O=W,@05!)(&%N9"!R87<@
M:&EV92!D871A+@T*2$M,35Q3+3$M-2TR,2TW-S8U-C$W-#$M,S0S.#$X,SDX
M+38X,C P,S,S,"TU,#!<0V]N=')O;"!086YE;%Q-:6-R;W-O9G0@26YP=70@
M1&5V:6-E<UQ-;W5S95Q%>&-E<'1I;VYS7#$P,#-<1&5S8W)I<'1I;VX),B\R
M,2\R,# T(#(Z-3$@04T),C4@8GET97,)1&%T82!M:7-M871C:"!B971W965N
M(%=I;F1O=W,@05!)(&%N9"!R87<@:&EV92!D871A+@T*2$M,35Q3+3$M-2TR
M,2TW-S8U-C$W-#$M,S0S.#$X,SDX+38X,C P,S,S,"TU,#!<0V]N=')O;"!0
M86YE;%Q-:6-R;W-O9G0@26YP=70@1&5V:6-E<UQ-;W5S95Q%>&-E<'1I;VYS
M7#$P,#1<1FEL96YA;64),B\R,2\R,# T(#$P.C4Y(%!-"3$Q(&)Y=&5S"41A
M=&$@;6ES;6%T8V@@8F5T=V5E;B!7:6YD;W=S($%022!A;F0@<F%W(&AI=F4@
M9&%T82X-"DA+3$U<4RTQ+34M,C$M-S<V-38Q-S0Q+3,T,S@Q.#,Y."TV.#(P
M,#,S,S M-3 P7$-O;G1R;VP@4&%N96Q<36EC<F]S;V9T($EN<'5T($1E=FEC
M97-<36]U<V5<17AC97!T:6]N<UPQ,# T7$1E<V-R:7!T:6]N"3(O,C$O,C P
M-" Q,#HU.2!030DR-2!B>71E<PE$871A(&UI<VUA=&-H(&)E='=E96X@5VEN
M9&]W<R!!4$D@86YD(')A=R!H:79E(&1A=&$N#0I(2TQ-7%,M,2TU+3(Q+3<W
M-C4V,3<T,2TS-#,X,3@S.3@M-C@R,# S,S,P+34P,%Q#;VYT<F]L(%!A;F5L
M7$UI8W)O<V]F="!);G!U="!$979I8V5S7$UO=7-E7$5X8V5P=&EO;G-<,3 P
M-5Q&:6QE;F%M90DR+S(R+S(P,#0@-SHQ,R!!30DQ,2!B>71E<PE$871A(&UI
M<VUA=&-H(&)E='=E96X@5VEN9&]W<R!!4$D@86YD(')A=R!H:79E(&1A=&$N
M#0I(2TQ-7%,M,2TU+3(Q+3<W-C4V,3<T,2TS-#,X,3@S.3@M-C@R,# S,S,P
M+34P,%Q#;VYT<F]L(%!A;F5L7$UI8W)O<V]F="!);G!U="!$979I8V5S7$UO
M=7-E7$5X8V5P=&EO;G-<,3 P-5Q$97-C<FEP=&EO;@DR+S(R+S(P,#0@-SHQ
M,R!!30DR-2!B>71E<PE$871A(&UI<VUA=&-H(&)E='=E96X@5VEN9&]W<R!!
M4$D@86YD(')A=R!H:79E(&1A=&$N#0I(2TQ-7%,M,2TU+3(Q+3<W-C4V,3<T
M,2TS-#,X,3@S.3@M-C@R,# S,S,P+34P,%Q#;VYT<F]L(%!A;F5L7$UI8W)O
M<V]F="!);G!U="!$979I8V5S7$UO=7-E7$5X8V5P=&EO;G-<,3 P-EQ&:6QE
M;F%M90DS+S$V+S(P,#0@,3$Z,#D@4$T),3$@8GET97,)1&%T82!M:7-M871C
M:"!B971W965N(%=I;F1O=W,@05!)(&%N9"!R87<@:&EV92!D871A+@T*2$M,
M35Q3+3$M-2TR,2TW-S8U-C$W-#$M,S0S.#$X,SDX+38X,C P,S,S,"TU,#!<
M0V]N=')O;"!086YE;%Q-:6-R;W-O9G0@26YP=70@1&5V:6-E<UQ-;W5S95Q%
M>&-E<'1I;VYS7#$P,#9<1&5S8W)I<'1I;VX),R\Q-B\R,# T(#$Q.C Y(%!-
M"3(U(&)Y=&5S"41A=&$@;6ES;6%T8V@@8F5T=V5E;B!7:6YD;W=S($%022!A
M;F0@<F%W(&AI=F4@9&%T82X-"DA+3$U<4RTQ+34M,C$M-S<V-38Q-S0Q+3,T
M,S@Q.#,Y."TV.#(P,#,S,S M-3 P7$-O;G1R;VP@4&%N96Q<36EC<F]S;V9T
M($EN<'5T($1E=FEC97-<36]U<V5<17AC97!T:6]N<UPQ,# W7$9I;&5N86UE
M"30O."\R,# T(#<Z-3@@04T),3$@8GET97,)1&%T82!M:7-M871C:"!B971W
M965N(%=I;F1O=W,@05!)(&%N9"!R87<@:&EV92!D871A+@T*2$M,35Q3+3$M
M-2TR,2TW-S8U-C$W-#$M,S0S.#$X,SDX+38X,C P,S,S,"TU,#!<0V]N=')O
M;"!086YE;%Q-:6-R;W-O9G0@26YP=70@1&5V:6-E<UQ-;W5S95Q%>&-E<'1I
M<PE$871A(&UI<VUA=&-H(&)E='=E96X@5VEN9&]W<R!!4$D@86YD(')A=R!H
M:79E(&1A=&$N#0I(2TQ-7%,M,2TU+3(Q+3<W-C4V,3<T,2TS-#,X,3@S.3@M
M-C@R,# S,S,P+34P,%Q#;VYT<F]L(%!A;F5L7$UI8W)O<V]F="!);G!U="!$
M979I8V5S7$UO=7-E7$5X8V5P=&EO;G-<,3 P.%Q&:6QE;F%M90DT+S@O,C P
M-" W.C4Y($%-"3$Q(&)Y=&5S"41A=&$@;6ES;6%T8V@@8F5T=V5E;B!7:6YD
M;W=S($%022!A;F0@<F%W(&AI=F4@9&%T82X-"DA+3$U<4RTQ+34M,C$M-S<V
M-38Q-S0Q+3,T,S@Q.#,Y."TV.#(P,#,S,S M-3 P7$-O;G1R;VP@4&%N96Q<
M36EC<F]S;V9T($EN<'5T($1E=FEC97-<36]U<V5<17AC97!T:6]N<UPQ,# X
M7$1E<V-R:7!T:6]N"30O."\R,# T(#<Z-3D@04T),C4@8GET97,)1&%T82!M
M:7-M871C:"!B971W965N(%=I;F1O=W,@05!)(&%N9"!R87<@:&EV92!D871A
M+@T*2$M,35Q3+3$M-2TR,2TW-S8U-C$W-#$M,S0S.#$X,SDX+38X,C P,S,S
M,"TU,#!<0V]N=')O;"!086YE;%Q-:6-R;W-O9G0@26YP=70@1&5V:6-E<UQ-
M;W5S95Q%>&-E<'1I;VYS7#$P,#E<1FEL96YA;64)-B\Q."\R,# T(#$Q.C4Y
M(%!-"3$Q(&)Y=&5S"41A=&$@;6ES;6%T8V@@8F5T=V5E;B!7:6YD;W=S($%0
M22!A;F0@<F%W(&AI=F4@9&%T82X-"DA+3$U<4RTQ+34M,C$M-S<V-38Q-S0Q
M+3,T,S@Q.#,Y."TV.#(P,#,S,S M-3 P7$-O;G1R;VP@4&%N96Q<36EC<F]S
M;V9T($EN<'5T($1E=FEC97-<36]U<V5<17AC97!T:6]N<UPQ,# Y7$1E<V-R
M:7!T:6]N"38O,3@O,C P-" Q,3HU.2!030DR-2!B>71E<PE$871A(&UI<VUA
M=&-H(&)E='=E96X@5VEN9&]W<R!!4$D@86YD(')A=R!H:79E(&1A=&$N#0I(
M2TQ-7%,M,2TU+3(Q+3<W-C4V,3<T,2TS-#,X,3@S.3@M-C@R,# S,S,P+34P
M,%Q#;VYT<F]L(%!A;F5L7$UI8W)O<V]F="!);G!U="!$979I8V5S7$UO=7-E
M7$5X8V5P=&EO;G-<,3 Q,%Q&:6QE;F%M90DW+S$R+S(P,#0@,CHT-R!030DQ
M,2!B>71E<PE$871A(&UI<VUA=&-H(&)E='=E96X@5VEN9&]W<R!!4$D@86YD
M(')A=R!H:79E(&1A=&$N#0I(2TQ-7%,M,2TU+3(Q+3<W-C4V,3<T,2TS-#,X
M,3@S.3@M-C@R,# S,S,P+34P,%Q#;VYT<F]L(%!A;F5L7$UI8W)O<V]F="!)
M;G!U="!$979I8V5S7$UO=7-E7$5X8V5P=&EO;G-<,3 Q,%Q$97-C<FEP=&EO
M;@DW+S$R+S(P,#0@,CHT-R!030DR-2!B>71E<PE$871A(&UI<VUA=&-H(&)E
M='=E96X@5VEN9&]W<R!!4$D@86YD(')A=R!H:79E(&1A=&$N#0I(2TQ-7%,M
M,2TU+3(Q+3<W-C4V,3<T,2TS-#,X,3@S.3@M-C@R,# S,S,P+34P,%Q#;VYT
M<F]L(%!A;F5L7$UI8W)O<V]F="!);G!U="!$979I8V5S7$UO=7-E7$5X8V5P
M=&EO;G-<,3 Q,5Q&:6QE;F%M90DY+S(P+S(P,#4@,3$Z,S@@4$T),3$@8GET
M97,)1&%T82!M:7-M871C:"!B971W965N(%=I;F1O=W,@05!)(&%N9"!R87<@
M:&EV92!D871A+@T*2$M,35Q3+3$M-2TR,2TW-S8U-C$W-#$M,S0S.#$X,SDX
M+38X,C P,S,S,"TU,#!<0V]N=')O;"!086YE;%Q-:6-R;W-O9G0@26YP=70@
M1&5V:6-E<UQ-;W5S95Q%>&-E<'1I;VYS7#$P,3%<1&5S8W)I<'1I;VX).2\R
M,"\R,# U(#$Q.C,X(%!-"3(U(&)Y=&5S"41A=&$@;6ES;6%T8V@@8F5T=V5E
M;B!7:6YD;W=S($%022!A;F0@<F%W(&AI=F4@9&%T82X-"DA+3$U<4RTQ+34M
M,C$M-S<V-38Q-S0Q+3,T,S@Q.#,Y."TV.#(P,#,S,S M-3 P7$-O;G1R;VP@
M4&%N96Q<36EC<F]S;V9T($EN<'5T($1E=FEC97-<36]U<V5<17AC97!T:6]N
M<UPQ,#$R7$9I;&5N86UE"3(O,38O,C P-B Q,3HU-R!030DQ,2!B>71E<PE$
M871A(&UI<VUA=&-H(&)E='=E96X@5VEN9&]W<R!!4$D@86YD(')A=R!H:79E
M(&1A=&$N#0I(2TQ-7%,M,2TU+3(Q+3<W-C4V,3<T,2TS-#,X,3@S.3@M-C@R
M,# S,S,P+34P,%Q#;VYT<F]L(%!A;F5L7$UI8W)O<V]F="!);G!U="!$979I
M8V5S7$UO=7-E7$5X8V5P=&EO;G-<,3 Q,EQ$97-C<FEP=&EO;@DR+S$V+S(P
M,#8@,3$Z-3<@4$T),C4@8GET97,)1&%T82!M:7-M871C:"!B971W965N(%=I
M;F1O=W,@05!)(&%N9"!R87<@:&EV92!D871A+@T*2$M,35Q3+3$M-2TR,2TW
M-S8U-C$W-#$M,S0S.#$X,SDX+38X,C P,S,S,"TU,#!<0V]N=')O;"!086YE
M;%Q-:6-R;W-O9G0@26YP=70@1&5V:6-E<UQ-;W5S95Q%>&-E<'1I;VYS7#$P
M,3-<1FEL96YA;64),B\Q-R\R,# V(#$R.C W($%-"3$Q(&)Y=&5S"41A=&$@
M;6ES;6%T8V@@8F5T=V5E;B!7:6YD;W=S($%022!A;F0@<F%W(&AI=F4@9&%T
M82X-"DA+3$U<4RTQ+34M,C$M-S<V-38Q-S0Q+3,T,S@Q.#,Y."TV.#(P,#,S
M,S M-3 P7$-O;G1R;VP@4&%N96Q<36EC<F]S;V9T($EN<'5T($1E=FEC97-<
M36]U<V5<17AC97!T:6]N<UPQ,#$S7$1E<V-R:7!T:6]N"3(O,3<O,C P-B Q
M,CHP-R!!30DR-2!B>71E<PE$871A(&UI<VUA=&-H(&)E='=E96X@5VEN9&]W
M<R!!4$D@86YD(')A=R!H:79E(&1A=&$N#0I(2TQ-7%-/1E1705)%7$-L87-S
M97-<0TQ3241<>S$X,C<U0D5&+4$V-S<M,3%D-RU!-S<S+3 P0S T1C8X1C0T
M17U<4&EN<UQ);G!U=%Q4>7!E<UQ[,3!E9#)D.#,M9C$V9BTP,S0X+3(P,# M
M.&,R-F(R,V4Y83(V?5PR,@DR+S$W+S(P,#8@,3(Z,#<@04T).3$@8GET97,)
M1&%T82!M:7-M871C:"!B971W965N(%=I;F1O=W,@05!)(&%N9"!R87<@:&EV
M92!D871A+@T*2$M,35Q33T945T%215Q#;&%S<V5S7$-,4TE$7'LQ.#(W-4)%
M1BU!-C<W+3$Q9#<M03<W,RTP,$,P-$8V.$8T-$5]7%!I;G-<26YP=71<5'EP
M97-<>V,W865D,S,Q+3 P,# M,#,T."TR,# P+3AC-#9B,C-E.6$R-GU<,C()
M,B\Q-R\R,# V(#$R.C W($%-"3DQ(&)Y=&5S"41A=&$@;6ES;6%T8V@@8F5T
M=V5E;B!7:6YD;W=S($%022!A;F0@<F%W(&AI=F4@9&%T82X-"D,Z7%)%0UE#
M9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#3$527$Y04D]414-47# P,C4U
M,#,R+GAM; DW+S(O,C P-B U.C$Y($%-"3,S-B!B>71E<PE(:61D96X@9G)O
M;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#3$527$Y04D]414-47# P,C4U,#,S
M+G1X= DW+S(O,C P-B U.C$Y($%-"3,N.3@@2T()2&ED9&5N(&9R;VT@5VEN
M9&]W<R!!4$DN#0I#.EQ214-90TQ%4EQ.4%)/5$5#5%PP,#(U-3 S-"YS=V8)
M-R\R+S(P,#8@-3HQ.2!!30DR-C$@8GET97,)2&ED9&5N(&9R;VT@5VEN9&]W
M<R!!4$DN#0I#.EQ214-90TQ%4EQ.4%)/5$5#5%PP,#(U-3 S-2YS=V8)-R\R
M+S(P,#8@-3HQ.2!!30DW+C$R($M""4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)
M+@T*0SI<4D5#64-,15)<3E!23U1%0U1<,# R-34P,S8N<W=F"3<O,B\R,# V
M(#4Z,3D@04T),CDY(&)Y=&5S"4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*
M0SI<4D5#64-,15)<3E!23U1%0U1<,# R-34P,S<N:'1M"3<O,B\R,# V(#4Z
M,3D@04T),BXW.2!+0@E(:61D96X@9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%
M0UE#3$527$Y04D]414-47# P,C4U,#,X+FAT;0DW+S(O,C P-B U.C$Y($%-
M"3,T,R!B>71E<PE(:61D96X@9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#
M3$527$Y04D]414-47# P,C4U,#,Y+GAM; DW+S(O,C P-B U.C$Y($%-"3$Q
M+CDT($M""4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*0SI<4D5#64-,15)<
M3E!23U1%0U1<,# R-34P-# N>&UL"3<O,B\R,# V(#4Z,C$@04T),3$N.30@
M2T()2&ED9&5N(&9R;VT@5VEN9&]W<R!!4$DN#0I#.EQ214-90TQ%4EQ.4%)/
M5$5#5%PP,#(U-3 T,2YX;6P)-R\R+S(P,#8@-3HR,R!!30DQ,2XY-"!+0@E(
M:61D96X@9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#3$527$Y04D]414-4
M7# P,C4U,#0R+GAM; DW+S(O,C P-B U.C(U($%-"3$Q+CDT($M""4AI9&1E
M;B!F<F]M(%=I;F1O=W,@05!)+@T*0SI<4D5#64-,15)<3E!23U1%0U1<,# R
M-34P-#,N>&UL"3<O,B\R,# V(#4Z,C<@04T),3$N.30@2T()2&ED9&5N(&9R
M;VT@5VEN9&]W<R!!4$DN#0H-"D,Z7%)%0UE#3$527$Y04D]414-47# P,C4U
M-#(S+F=I9@DW+S(O,C P-B Y.C(T($%-"30S(&)Y=&5S"4AI9&1E;B!F<F]M
M(%=I;F1O=W,@05!)+@T*0SI<4D5#64-,15)<3E!23U1%0U1<,# R-34T,C,N
M9VEF.GLT8SAC8S$U-2TV8S%E+3$Q9#$M.&4T,2TP,&,P-&9B.3,X-F1]"3<O
M,B\R,# V(#DZ,C0@04T),"!B>71E<PE(:61D96X@9G)O;2!7:6YD;W=S($%0
M22X-"D,Z7%)%0UE#3$527$Y04D]414-47# P,C4U-#(T+F=I9@DW+S(O,C P
M-B Y.C(T($%-"30S(&)Y=&5S"4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*
M0SI<4D5#64-,15)<3E!23U1%0U1<,# R-34T,C0N9VEF.GLT8SAC8S$U-2TV
M8S%E+3$Q9#$M.&4T,2TP,&,P-&9B.3,X-F1]"3<O,B\R,# V(#DZ,C0@04T)
M,"!B>71E<PE(:61D96X@9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#3$52
M7$Y04D]414-47# P,C4U-#(U+F=I9@DW+S(O,C P-B Y.C(T($%-"3,U(&)Y
M=&5S"4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*0SI<4D5#64-,15)<3E!2
M3U1%0U1<,# R-34T,C4N9VEF.GLT8SAC8S$U-2TV8S%E+3$Q9#$M.&4T,2TP
M9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#3$527$Y04D]414-47# P,C4U
M-#(V+F=I9@DW+S(O,C P-B Y.C(T($%-"3,U(&)Y=&5S"4AI9&1E;B!F<F]M
M(%=I;F1O=W,@05!)+@T*0SI<4D5#64-,15)<3E!23U1%0U1<,# R-34T,C8N
M9VEF.GLT8SAC8S$U-2TV8S%E+3$Q9#$M.&4T,2TP,&,P-&9B.3,X-F1]"3<O
M,B\R,# V(#DZ,C0@04T),"!B>71E<PE(:61D96X@9G)O;2!7:6YD;W=S($%0
M22X-"@T*#0I#.EQ214-90TQ%4EQ.4%)/5$5#5%PP,#(U-S@Q-PDW+S(O,C P
M-B S.C4X(%!-"3$V."XP,"!+0@E(:61D96X@9G)O;2!7:6YD;W=S($%022X-
M"D,Z7%)%0UE#3$527$Y04D]414-47# P,C4W.#$X"3<O,B\R,# V(#,Z-3@@
M4$T),BXX-2!-0@E(:61D96X@9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#
M3$527$Y04D]414-47# P,C4W.#$Y"3<O,B\R,# V(#,Z-3@@4$T),3 X+C P
M($M""4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*0SI<4D5#64-,15)<3E!2
M3U1%0U1<,# R-3<X,C )-R\R+S(P,#8@,SHU."!030DV,"XP,"!+0@E(:61D
M96X@9G)O;2!7:6YD;W=S($%022X-"D,Z7%)%0UE#3$527$Y04D]414-47# P
M,C4W.#(Q"3<O,B\R,# V(#,Z-3@@4$T),C N,# @2T()2&ED9&5N(&9R;VT@
M5VEN9&]W<R!!4$DN#0I#.EQ214-90TQ%4EQ.4%)/5$5#5%PP,#(U-S@R,@DW
M+S(O,C P-B S.C4X(%!-"3(R+C U($U""4AI9&1E;B!F<F]M(%=I;F1O=W,@
M05!)+@T*0SI<4D5#64-,15)<3E!23U1%0U1<,# R-3<X,C,)-R\R+S(P,#8@
M,SHU."!030DU+C$R($U""4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*#0I(
M.EQ214-90TQ%4EQ.4%)/5$5#5%PP,# Q,S,P,2Y74$0)-R\Q+S(P,#8@,3HQ
M,"!!30DV+C S($M""4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*2#I<4D5#
M64-,15)<3E!23U1%0U1<,# P,3,S,#(N5U!$"3<O,2\R,# V(#$Z,3 @04T)
M,C(N-3 @2T()2&ED9&5N(&9R;VT@5VEN9&]W<R!!4$DN#0I(.EQ214-90TQ%
M4EQ.4%)/5$5#5%PP,# Q,S,P,RYW<&0)-R\Q+S(P,#8@,3HQ,"!!30DQ-RXP
M,"!+0@E(:61D96X@9G)O;2!7:6YD;W=S($%022X-"D@Z7%)%0UE#3$527$Y0
M4D]414-47# P,#$S,S T"3<O,2\R,# V(#$Z,3 @04T)-#,N.#8@2T()2&ED
M9&5N(&9R;VT@5VEN9&]W<R!!4$DN#0I(.EQ214-90TQ%4EQ.4%)/5$5#5%PP
M,# Q,S,P-0DW+S$O,C P-B Q.C$P($%-"3$T+C P($M""4AI9&1E;B!F<F]M
M(%=I;F1O=W,@05!)+@T*2#I<4D5#64-,15)<3E!23U1%0U1<,# P,3,S,#8)
M-R\Q+S(P,#8@,3HQ,"!!30DQ,2XT-R!+0@E(:61D96X@9G)O;2!7:6YD;W=S
M($%022X-"D@Z7%)%0UE#3$527$Y04D]414-47# P,#$S,S W"3<O,2\R,# V
M(#$Z,3 @04T),38N-3$@2T()2&ED9&5N(&9R;VT@5VEN9&]W<R!!4$DN#0H-
M"D@Z7%)%0UE#3$527$Y04D]414-47# P,#$S,S4S+F5X90DW+S$O,C P-B Q
M.C$P($%-"38N,#0@34()2&ED9&5N(&9R;VT@5VEN9&]W<R!!4$DN#0I(.EQ2
M14-90TQ%4EQ.4%)/5$5#5%PP,# Q,S,U-"YD;&P)-R\Q+S(P,#8@,3HQ,"!!
M30DQ-3DN,C<@2T()2&ED9&5N(&9R;VT@5VEN9&]W<R!!4$DN#0I(.EQ214-9
M0TQ%4EQ.4%)/5$5#5%PP,# Q,S,U-2Y:25 )-R\Q+S(P,#8@,3HQ,"!!30DS
M+C(R($M""4AI9&1E;B!F<F]M(%=I;F1O=W,@05!)+@T*2#I<4D5#64-,15)<
M3E!23U1%0U1<,# P,3,S-38N6DE0"3<O,2\R,# V(#$Z,3 @04T)-3,N.#0@
M2T()2&ED9&5N(&9R;VT@5VEN9&]W<R!!4$DN#0I(.EQ214-90TQ%4EQ.4%)/
M5$5#5%PP,# Q,S,U-RY:25 )-R\Q+S(P,#8@,3HQ,"!!30DR-RXP,"!+0@E(
M:61D96X@9G)O;2!7:6YD;W=S($%022X-"D@Z7%)%0UE#3$527$Y04D]414-4
M7# P,#$S,S4X+EI)4 DW+S$O,C P-B Q.C$P($%-"3(S+C P($M""4AI9&1E
M;B!F<F]M(%=I;F1O=W,@05!)+@T*2#I<4D5#64-,15)<3E!23U1%0U1<,# P
M,3,S-3DN6DE0"3<O,2\R,# V(#$Z,3 @04T),38N-#(@2T()2&ED9&5N(&9R
M;VT@5VEN9&]W<R!!4$DN#0I(.EQ214-90TQ%4EQ.4%)/5$5#5%Q.4%)/5$5#
M5"Y,3T<)-R\R+S(P,#8@.3HR-2!!30DV,S$N,S@@2T()2&ED9&5N(&9R;VT@
.5VEN9&]W<R!!4$DN#0H`
`
end
|
|
Posted by Grzegorz Wiktorowski on July 2, 2006, 1:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>I ran a RootkitRevealer scan yesterday, and there were 4000+ discrepancies.
>[snip]
I suggest to drop a message to
http://www.sysinternals.com/Forum/forum_topics.asp?FID=17
--
Grzegorz Wiktorowski
|
|
Posted by David H. Lipman on July 2, 2006, 2:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I ran a RootkitRevealer scan yesterday, and there were 4000+ discrepancies.
| I then put down a fresh installation of W2K (dual booting) on a different
| drive, and ran a virus check. A Kak.worm was found but it didn't detect any
| rootkit. I then rebooted under my main installation, and ran RootkitRevealer
| again. There are 4243 discrepancies. Here are a few samples taken from the
| scan report. (The same sampling is also adjoined because opened in Notepad
| each entry has its own line.)
|
| Can anyone say if this is evidence of a rootkit? And what can I do to get
| rid of these discrepancies?
|
| Thanks, Tim |
Nope. Is there a reason for suspicion ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by cquirke (MVP Windows shell/use on July 2, 2006, 8:49 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Can anyone say if this is evidence of a rootkit?
One thing I can mention, is that Norton NProtect is known to exhibit
rootkit-like behavior that is correctly identified by some heuristic
rootkit detection tools.
This may be linked to the commercial malware that is built into Norton
Antivirus, i.e. the DRM stuff that fusses over whether you are using
it in breach of Symantec's licensing terms.
Having user-hostile behaviour stealthed into an av product raises
practical problems, as well as the obvious ethical objections:
- malware could attack the av by triggering the DRM payload
- manual cleanup may trip over NAV's stealth component
In addition, because this DRM code is inherently user-hostile, can you
really trust Symantec to document it properly (given that doing so may
enable users to circumvent it)?
This issue is one reason why I consider NAV unfit for use.
>-------------------- ----- ---- --- -- - - - -
Tip Of The Day:
To disable the 'Tip of the Day' feature...
>-------------------- ----- ---- --- -- - - - -
|
| Similar Threads | Posted | | Rootkit???? Have tried everything...literally... | September 19, 2005, 3:14 pm |
| hacktool.rootkit | October 20, 2005, 11:59 am |
| Rootkit and WindowsMe | January 24, 2006, 9:17 am |
| Hacktool.Rootkit ?? | May 31, 2007, 5:14 pm |
| WHICH is the best Rootkit PREVENTION software ? | January 4, 2007, 5:52 pm |
| i am too tired and impatient for rootkit and others | September 28, 2008, 2:58 am |
| Preventing rootkit.agent | December 18, 2008, 2:58 pm |
| Sony Rootkit now detected by Symantec | November 9, 2005, 11:51 am |
| New rootkit/Malware? APPCBASE.exe INTHRINK? | December 10, 2005, 6:53 pm |
| Virus, rootkit or something else ??? Strange network behavior... | January 6, 2006, 5:59 pm |
|
XML site map