Rootkit ?
in [Anti-Virus]
|
From: bigot.charlot on 6 Jun 2006 09:30 Hi, I think I may have a rootkit. Below is the result of the scan of a special rootkit revealer build. Can someone tell me about it ? HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 19/10/2004 17:12 58 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\? 09/10/2004 19:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 19/10/2004 17:13 58 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 06/06/2006 15:13 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg41 06/06/2006 15:13 0 bytes Hidden from Windows API. SYSTEM 01/01/1601 02:00 0 bytes Error dumping hive: Internal error. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131211.lnk 23/04/2006 19:07 839 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131212.lnk 02/06/2006 15:13 379 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131213.ini 06/06/2006 15:10 11.90 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131214.ini 06/06/2006 15:10 16.45 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131215.dir 06/06/2006 15:10 8.66 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131216.dir 06/06/2006 15:10 46 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131217.dir 06/06/2006 15:10 2 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\change.log 06/06/2006 15:18 15.92 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\change.log.1 06/06/2006 02:47 13.99 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\change.log.2 06/06/2006 15:12 36.72 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\RestorePointSize 05/06/2006 20:54 8 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\rp.log 05/06/2006 20:54 536 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot 05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SAM 05/06/2006 20:54 28.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SECURITY 05/06/2006 20:54 44.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SOFTWARE 05/06/2006 20:54 23.86 MB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SYSTEM 05/06/2006 20:54 4.74 MB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_.DEFAULT 05/06/2006 20:54 268.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 12/01/2005 15:06 256.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-854245398-1220945662-839522115-1003 05/06/2006 20:54 5.20 MB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-854245398-1220945662-839522115-1003 05/06/2006 20:54 24.00 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\ComDb.Dat 18/01/2005 14:18 22.79 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\domain.txt 05/06/2006 20:54 40 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository 05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\$WinMgmt.CFG 05/06/2006 12:50 20 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS 05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\INDEX.BTR 05/06/2006 12:50 1.62 MB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\INDEX.MAP 05/06/2006 20:54 872 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\MAPPING.VER 05/06/2006 20:54 4 bytes Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\MAPPING1.MAP 05/06/2006 20:46 4.87 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\MAPPING2.MAP 05/06/2006 20:54 4.87 KB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\OBJECTS.DATA 05/06/2006 12:50 7.96 MB Visible in Windows API, MFT, but not in directory index. C:\System Volume Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\OBJECTS.MAP 05/06/2006 20:54 4.02 KB Visible in Windows API, MFT, but not in directory index. C:\WINDOWS\_detmp.1 02/03/2005 21:34 78.39 KB Visible in directory index, but not Windows API or MFT. C:\WINDOWS\_detmp.2 30/08/2000 12:08 52.00 KB Visible in directory index, but not Windows API or MFT. C:\WINDOWS\Prefetch\ISUNINST.EXE-21B3FA6E.pf 06/06/2006 15:23 16.70 KB Visible in directory index, but not Windows API or MFT. C:\WINDOWS\Prefetch\RUNDLL32.EXE-4489B61B.pf 06/06/2006 15:22 45.02 KB Visible in directory index, but not Windows API or MFT. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 06/06/2006 15:15 64.00 KB Visible in Windows API, MFT, but not in directory index.
From: Zoned on 6 Jun 2006 10:59 bigot.charlot wrote: > Hi, > I think I may have a rootkit. > Below is the result of the scan of a special rootkit revealer build. Can > someone tell me about it ? > Looks like a load of false positives!!!! try other Antirootkit software from http://www.antirootkit.com They will tell you more good luck, regards Zoned
From: bughunter.dustin on 6 Jun 2006 12:52 bigot.charlot wrote: > Hi, > I think I may have a rootkit. > Below is the result of the scan of a special rootkit revealer build. Can > someone tell me about it ? > [snip long logfile post] Hey man, kindly stop posting that unless someone specifically asks you to do so, This isn't setup for that... And it's rude :) If someone wants to help you with the problem, take it to email. We don't need to turn this place into another hijackthis landfill. -- Regards, Dustin Cook http://bughunter.atspace.org
From: bughunter.dustin on 6 Jun 2006 12:53 Zoned wrote: > bigot.charlot wrote: > > Hi, > > I think I may have a rootkit. > > Below is the result of the scan of a special rootkit revealer build. Can > > someone tell me about it ? > > > > Looks like a load of false positives!!!! Next thing you know, people will be dumping hijackthis logs here too. :(
From: David H. Lipman on 6 Jun 2006 17:04
From: <bughunter.dustin(a)gmail.com> | | bigot.charlot wrote: >> Hi, >> I think I may have a rootkit. >> Below is the result of the scan of a special rootkit revealer build. Can >> someone tell me about it ? >> | [snip long logfile post] | | Hey man, kindly stop posting that unless someone specifically asks you | to do so, This isn't setup for that... And it's rude :) | | If someone wants to help you with the problem, take it to email. We | don't need to turn this place into another hijackthis landfill. | :-) -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |