Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RootkitRevealer Scan

Status
Not open for further replies.
clapper62

clapper62

Programmer
Apr 17, 2003
113
US
Just Finished a hard cleanup of a friends computer.
Everything seems ok now but ran RootkitRevealer and below
are the results if the scan.


HKLM\S-1-5-21-1715567821-1604221776-725345543-1003\RemoteAccess\InternetProfile 4/3/2006 12:03 AM 7 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Enum\Root\RDP_KBD\0000\HardwareID 1/24/2007 6:40 PM 172 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet003\Enum\Root\RDP_KBD\0000\HardwareID 11/9/2006 10:26 PM 172 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet003\Enum\Root\RDP_KBD\0000\Capabilities 11/9/2006 10:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet004\Enum\Root\RDP_KBD\0000\HardwareID 1/24/2007 6:40 PM 172 bytes Windows API length not consistent with raw hive data.


I'm not really familiar with how rootkits work does this scan show something I should be worried about?


"There is no pleasure in having nothing to do; the fun is having lots to do and not doing it.
." - Andrew Jackson
 
Sort by date Sort by votes
That is clean!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Thanks much

"There is no pleasure in having nothing to do; the fun is having lots to do and not doing it.
." - Andrew Jackson
 
Upvote 0 Downvote
Hi, I have the same question and suspect having a rootkit. Eventough i am cleaning my PC regularly, i have often an unknown task launched on my bar tasks (appears a few seconds) and i am wondering what it is. Maybe a rootkit???
(cleaning my PC with Acronis Private Expert/Ad-Aware SE Professional/Skapersky (as you can see below)/Spybot - Search & Destroy)
Thanks for your advice
serros

HKLM\SECURITY\Policy\Secrets\SAC* 20/08/2004 23:57 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 20/08/2004 23:57 0 bytes Key name contains embedded nulls (*)

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\288.2F311E2401C747CA.history 03/02/2007 20:33 0 bytes Hidden from Windows API.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\cdc.EC30498001C747C7.history\00000000.bak 03/02/2007 20:27 206 bytes Hidden from Windows API.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\d80.EE16A93801C747C7.history 03/02/2007 20:17 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\da0.EE41938C01C747C7.history 03/02/2007 20:17 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\de0.EE9505DA01C747C7.history 03/02/2007 20:17 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\f28.7FB82C9A01C747C8.history 03/02/2007 20:21 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\f68.F25F62F001C747C7.history 03/02/2007 20:17 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\fd8.F3F4B2B401C747C7.history 03/02/2007 20:17 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\fe4.1FD6FB4401C747C8.history\00000000.bak 03/02/2007 20:23 9.57 MB Hidden from Windows API.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\1cab_File_Monitoring_eventcritlog.rpt 03/02/2007 20:41 165.45 KB Hidden from Windows API.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\1cad_Web_Monitoring_eventlog.rpt 03/02/2007 20:45 4.45 KB Visible in directory index, but not Windows API or MFT.

C:\Documents and Settings\Serge\Local Settings\Temp\~DF8769.tmp 03/02/2007 20:45 16.00 KB Visible in directory index, but not Windows API or MFT.

C:\Documents and Settings\Serge\Local Settings\Temp\~DF878C.tmp 03/02/2007 20:45 512 bytes Visible in directory index, but not Windows API or MFT.

C:\Documents and Settings\Serge\Local Settings\Temporary Internet Files\Content.IE5\XMVINVQE\CAUVQDTG.HTM 03/02/2007 20:45 888 bytes Visible in directory index, but not Windows API or MFT.

C:\WINDOWS\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 12/10/2006 15:29 252.00 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 12/10/2006 15:29 111.50 KB Visible in Windows API, but not in MFT or directory index.
 
Upvote 0 Downvote
clean! Clean out your temp files and clear the cache now and again!


* Click here to download ATF Cleaner by Atribune and save it to your desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.




* Go to Control Panel > Internet Options. On the General tab under
"Temporary Internet Files" Click "Delete Files". Put a check by "Delete
Offline Content" and click OK. Click on the "Delete Cookies" button to clear
the cookies.


To block cookies in IE.

Go to view/privacy report/highlight the offending cookie/click summary/
and choose never allow this site to use cookies/ click ok and exit!This
will block all tracking cookies from being set on your computer!


For Mozilla

To block cookies in mozilla and stop them from coming back click on
tools/ options/privacy/click view cookies, now you will now see a
list of cookies, click on all the cookies to delete that you don't want
to keep! You can view all the blocked cookies by clicking exceptions!


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dan2229
  • Locked
  • Question
McAfee Security Scan Plus
Replies
3
Views
209
dan2229
dan2229
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
179
goombawaho
goombawaho
RobertIngles
  • Locked
  • Question
Symantec Endpoint Protection Takes Forever to Scan Images on CD
Replies
0
Views
103
RobertIngles
RobertIngles
LoriRutt
  • Locked
  • Question
Scan stopped by user - NOT
Replies
1
Views
87
jimmymcp02
jimmymcp02
Noway2
  • Locked
  • News
Symantec Sued For Running Fake "Scareware" Scans 1
Replies
4
Views
152
BadBigBen
BadBigBen

Part and Inventory Search

Sponsor

Back
Top