If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Rootkit findings
I have sysinternals "Rootkit Revealer" v 1.7 so I ran it on my XP MCE
system that I keep clean with frequent use of Ad-Aware SE personal, Spybot, and Avast plus ZoneAlarm. So I was surprised when it showed 6 discrepancies. I'm even more unhappy because I cannot make sense of these 6 discrepancies. Can someone tell me what to do with these results? Do I have a zombies PC? HKLM\SOFTWARE\Classes\CLSID\{7D5C4821-8365-2C5D-B57B-DF6D2D17C629}\InProcServer32* 9/21/2006 2:34 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{DF771B98-AC91-34D8-F0EE49DCFFD7BEDE}\{02C90D3B-A401-D38F-0F8BFA977E327E75}\{1704AFF6-6AA2-2F70-F8B468ED602E6063}* 8/21/2006 3:45 AM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{E9204BC4-9B67-A3A7-9418040E7EC7E28B}\{1ACE6D24-C4A9-397B-64EF395CC2F330B1}\{685A2618-4C9F-7737-7DE531E9434892E2}* 8/21/2006 3:45 AM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\webcal\URL Protocol 8/19/2006 8:10 PM 13 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/1/2007 9:06 PM 0 bytes Access is denied. C:\System Volume Information\_restore{9BCCDCE7-37F6-4E2E-8B77-7F9EE9C69547}\RP156\A0087498.RDB 8/14/2007 6:18 PM 2.82 MB Hidden from Windows API. Jeff |
Ads |
#2
|
|||
|
|||
Rootkit findings
I wanted to add, that the "Hide standard NTFS metadata files" and "scan
registry" are both selected in the RootkitRevealer option screen. Jeff Jeff wrote: I have sysinternals "Rootkit Revealer" v 1.7 so I ran it on my XP MCE system that I keep clean with frequent use of Ad-Aware SE personal, Spybot, and Avast plus ZoneAlarm. So I was surprised when it showed 6 discrepancies. I'm even more unhappy because I cannot make sense of these 6 discrepancies. Can someone tell me what to do with these results? Do I have a zombies PC? HKLM\SOFTWARE\Classes\CLSID\{7D5C4821-8365-2C5D-B57B-DF6D2D17C629}\InProcServer32* 9/21/2006 2:34 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{DF771B98-AC91-34D8-F0EE49DCFFD7BEDE}\{02C90D3B-A401-D38F-0F8BFA977E327E75}\{1704AFF6-6AA2-2F70-F8B468ED602E6063}* 8/21/2006 3:45 AM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{E9204BC4-9B67-A3A7-9418040E7EC7E28B}\{1ACE6D24-C4A9-397B-64EF395CC2F330B1}\{685A2618-4C9F-7737-7DE531E9434892E2}* 8/21/2006 3:45 AM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\webcal\URL Protocol 8/19/2006 8:10 PM 13 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/1/2007 9:06 PM 0 bytes Access is denied. C:\System Volume Information\_restore{9BCCDCE7-37F6-4E2E-8B77-7F9EE9C69547}\RP156\A0087498.RDB 8/14/2007 6:18 PM 2.82 MB Hidden from Windows API. Jeff |
#3
|
|||
|
|||
Rootkit findings
all of those look fine - no solid indication of a bad guy there.
there are some other good rootkit scanners out there now, Panda makes a pretty good free one. http://research.pandasoftware.com/bl...ntiRootkit.zip and another: http://www.resplendence.com/hookanalyzer Stay vigilant tho... |
Thread Tools | |
Display Modes | |
|
|