Rootkit ?

External Since: Apr 28, 2006 Posts: 5

Hi,
I think I may have a rootkit.
Below is the result of the scan of a special rootkit revealer build. Can
someone tell me about it ?

HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName
19/10/2004 17:12 58 bytes Data mismatch between Windows API and raw hive
data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\? 09/10/2004 19:21
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName
19/10/2004 17:13 58 bytes Data mismatch between Windows API and raw hive
data.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 06/06/2006 15:13 0
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg41 06/06/2006 15:13 0
bytes Hidden from Windows API.
SYSTEM 01/01/1601 02:00 0 bytes Error dumping hive: Internal error.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131211.lnk
23/04/2006 19:07 839 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131212.lnk
02/06/2006 15:13 379 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131213.ini
06/06/2006 15:10 11.90 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131214.ini
06/06/2006 15:10 16.45 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131215.dir
06/06/2006 15:10 8.66 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131216.dir
06/06/2006 15:10 46 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\A0131217.dir
06/06/2006 15:10 2 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\change.log
06/06/2006 15:18 15.92 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\change.log.1
06/06/2006 02:47 13.99 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\change.log.2
06/06/2006 15:12 36.72 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\RestorePointSize
05/06/2006 20:54 8 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\rp.log
05/06/2006 20:54 536 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SAM
05/06/2006 20:54 28.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SECURITY
05/06/2006 20:54 44.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SOFTWARE
05/06/2006 20:54 23.86 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_MACHINE_SYSTEM
05/06/2006 20:54 4.74 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_.DEFAULT
05/06/2006 20:54 268.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
12/01/2005 15:06 256.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
05/06/2006 20:54 232.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-854245398-1220945662-839522115-1003
05/06/2006 20:54 5.20 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
05/06/2006 20:54 8.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-854245398-1220945662-839522115-1003
05/06/2006 20:54 24.00 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\ComDb.Dat
18/01/2005 14:18 22.79 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\domain.txt
05/06/2006 20:54 40 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\$WinMgmt.CFG
05/06/2006 12:50 20 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS
05/06/2006 20:54 0 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\INDEX.BTR
05/06/2006 12:50 1.62 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\INDEX.MAP
05/06/2006 20:54 872 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\MAPPING.VER
05/06/2006 20:54 4 bytes Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\MAPPING1.MAP
05/06/2006 20:46 4.87 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\MAPPING2.MAP
05/06/2006 20:54 4.87 KB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\OBJECTS.DATA
05/06/2006 12:50 7.96 MB Visible in Windows API, MFT, but not in directory
index.
C:\System Volume
Information\_restore{E0ABD19B-9D9D-476F-9B97-569B81431D2F}\RP512\snapshot\Repository\FS\OBJECTS.MAP
05/06/2006 20:54 4.02 KB Visible in Windows API, MFT, but not in directory
index.
C:\WINDOWS\_detmp.1 02/03/2005 21:34 78.39 KB Visible in directory index,
but not Windows API or MFT.
C:\WINDOWS\_detmp.2 30/08/2000 12:08 52.00 KB Visible in directory index,
but not Windows API or MFT.
C:\WINDOWS\Prefetch\ISUNINST.EXE-21B3FA6E.pf 06/06/2006 15:23 16.70 KB
Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4489B61B.pf 06/06/2006 15:22 45.02 KB
Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 06/06/2006 15:15
64.00 KB Visible in Windows API, MFT, but not in directory index.

External Since: Jun 06, 2006 Posts: 2

Zoned wrote:
> bigot.charlot wrote:
> > Hi,
> > I think I may have a rootkit.
> > Below is the result of the scan of a special rootkit revealer build. Can
> > someone tell me about it ?
> >
>
> Looks like a load of false positives!!!!

Next thing you know, people will be dumping hijackthis logs here too.
Sad