Rootkit ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi,
I think I may have a rootkit.
Below is the result of the scan of a special rootkit revealer build. Can
someone tell me about it ?


HKLM\SOFTWARE\Classes\Installer\Products418F9EE1126B64A90E8365B85CFCF6\ProductName
19/10/2004 17:12 58 bytes Data mismatch between Windows API and raw hive
data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\? 09/10/2004 19:21
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\DisplayName
19/10/2004 17:13 58 bytes Data mismatch between Windows API and raw hive
data.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 06/06/2006 15:13 0
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg41 06/06/2006 15:13 0
bytes Hidden from Windows API.
SYSTEM 01/01/1601 02:00 0 bytes Error dumping hive: Internal error.
C:\System Volume
Information\_restore\RP512\A0131211.lnk
23/04/2006 19:07 839 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131212.lnk
02/06/2006 15:13 379 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131213.ini
06/06/2006 15:10 11.90 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131214.ini
06/06/2006 15:10 16.45 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131215.dir
06/06/2006 15:10 8.66 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131216.dir
06/06/2006 15:10 46 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\A0131217.dir
06/06/2006 15:10 2 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\change.log
06/06/2006 15:18 15.92 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\change.log.1
06/06/2006 02:47 13.99 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\change.log.2
06/06/2006 15:12 36.72 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\RestorePointSize
05/06/2006 20:54 8 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\rp.log
05/06/2006 20:54 536 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SAM
05/06/2006 20:54 28.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SECURITY
05/06/2006 20:54 44.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SOFTWARE
05/06/2006 20:54 23.86 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_MACHINE_SYSTEM
05/06/2006 20:54 4.74 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_.DEFAULT
05/06/2006 20:54 268.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
12/01/2005 15:06 256.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-854245398-1220945662-839522115-1003
05/06/2006 20:54 5.20 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-854245398-1220945662-839522115-1003
05/06/2006 20:54 24.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\ComDb.Dat
18/01/2005 14:18 22.79 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\domain.txt
05/06/2006 20:54 40 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository$WinMgmt.CFG
05/06/2006 12:50 20 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\INDEX.BTR
05/06/2006 12:50 1.62 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\INDEX.MAP
05/06/2006 20:54 872 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\MAPPING.VER
05/06/2006 20:54 4 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\MAPPING1.MAP
05/06/2006 20:46 4.87 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\MAPPING2.MAP
05/06/2006 20:54 4.87 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\OBJECTS.DATA
05/06/2006 12:50 7.96 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore\RP512\snapshot\Repository\FS\OBJECTS.MAP
05/06/2006 20:54 4.02 KB Visible in Windows API, MFT, but not in directory
index.
C:\WINDOWS\_detmp.1 02/03/2005 21:34 78.39 KB Visible in directory index,
but not Windows API or MFT.
C:\WINDOWS\_detmp.2 30/08/2000 12:08 52.00 KB Visible in directory index,
but not Windows API or MFT.
C:\WINDOWS\Prefetch\ISUNINST.EXE-21B3FA6E.pf 06/06/2006 15:23 16.70 KB
Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4489B61B.pf 06/06/2006 15:22 45.02 KB
Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 06/06/2006 15:15
64.00 KB Visible in Windows API, MFT, but not in directory index.




Re: Rootkit ?


bigot.charlot wrote:
Quoted text here. Click to load it

Looks like a load of false positives!!!!

try other Antirootkit software from http://www.antirootkit.com

They will tell you more

good luck,
regards
Zoned


Re: Rootkit ?


Zoned wrote:
Quoted text here. Click to load it

Next thing you know, people will be dumping hijackthis logs here too.
:(


Re: Rootkit ?


bigot.charlot wrote:
Quoted text here. Click to load it

[snip long logfile post]

Hey man, kindly stop posting that unless someone specifically asks you
to do so, This isn't setup for that... And it's rude :)

If someone wants to help you with the problem, take it to email. We
don't need to turn this place into another hijackthis landfill.

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Rootkit ?


|
| bigot.charlot wrote:
Quoted text here. Click to load it
| [snip long logfile post]
|
| Hey man, kindly stop posting that unless someone specifically asks you
| to do so, This isn't setup for that... And it's rude :)
|
| If someone wants to help you with the problem, take it to email. We
| don't need to turn this place into another hijackthis landfill.
|

:-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Rootkit ?


| Hi,
| I think I may have a rootkit.
| Below is the result of the scan of a special rootkit revealer build. Can
| someone tell me about it ?
|

< snip >

Why did you execute RootKit Revealer in the first place ?

Except for ...

HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 06/06/2006 15:13 0
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg41 06/06/2006 15:13 0
bytes Hidden from Windows API.

Nothing really seems out-of-place.  The above may be legitimate.

I suggest using the GMER program. -- http://www.gmer.net /

The author will be glad to assist you.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline