G
Guest
To tell you the truth I would not know how to decipher it
G
Guest
Frankly, Ben, neither would I. <g> But don't let that stop you! 
There
are folks here who would, if you post your results. It would certainly be
helpful to know if there is a rootkit on your system or not, and your
situation is certainly a mystery we'd love to know the answer to. It's a
simple and fast scan, couldn't hurt, right?
Patty
Thereare folks here who would, if you post your results. It would certainly be
helpful to know if there is a rootkit on your system or not, and your
situation is certainly a mystery we'd love to know the answer to. It's a
simple and fast scan, couldn't hurt, right?
Patty
G
Guest
How would you post a rootkit file.
Should I just copy and paste it here in .rtf form ?
Thank you
Ben
Should I just copy and paste it here in .rtf form ?
Thank you
Ben
B
Bill Sanderson
When you run RootKitRevealer, I believe you can generate a simple text file
which is the result. Just use cut and paste to paste those results to a
message in this thread.
--
which is the result. Just use cut and paste to paste those results to a
message in this thread.
--
G
Guest
You people have been great. Thank you
Note that I have many encrypted files on this system
Rootkit report posted as follows:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/26/2005 1:13
AM 80 bytes Data mismatch between Windows API and raw
hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\Start
11/26/2005 1:10 AM 4 bytes Data mismatch between Windows API
and raw hive data.
C:\ATC WORK\Rohit\022005\atc 15Feb.xls:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\ATC WORK\Rohit\022005\ATC.PACKING.xls:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\ATC WORK\Rohit\032005\ATC pf.xls:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\123flash2.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\1clickdvdcopysetup.exe:Zone.Identifier
11/26/2005 12:10 AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\aawsepro.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\acadfc3.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\Card 2000 copy paste
fix\riched20.dll:Zone.Identifier 11/25/2005 2:07 PM
26 bytes Hidden from Windows API.
C:\Ben Downloads\ccsetup124.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\dell bebug floppy maker
CDENAB.EXE:Zone.Identifier 11/26/2005 12:11 AM 26 bytes
Hidden from Windows API.
C:\Ben Downloads\Dell Bios\ws470a03.exe:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\Dell Bios\WS470A05.EXE:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\lusetup-lt.exe:Zone.Identifier 11/25/2005 2:39
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\nav 2006 setup.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\SCP_1742.exe:Zone.Identifier 11/25/2005 2:39
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\SCW Key - .sckey:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\Spy Sweeper 045\Spy Sweeper Dll
Hooks.zip:Zone.Identifier 11/25/2005 2:07 PM 26 bytes
Hidden from Windows API.
C:\Ben Downloads\Spy Sweeper
041805\sspsetup1_1804929842.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\spybotsd14rc.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\spywareblastersetup.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\spywareblastersetup33.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\sspsetup1_188186.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\symantec all program removal
tool\SymNRT.exe:Zone.Identifier 11/25/2005 2:07 PM 26 bytes
Hidden from Windows API.
C:\Ben Downloads\update.exe:Zone.Identifier 11/25/2005 2:39
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\US English Words to Correct.3sc:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\us.extra01.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\WinZip 9\winzip90.exe:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\winzip90.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\wzipse22.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Email Data\72 dpi jpegs\Thumbs.db:encryptable
11/25/2005 2:07 PM 0 bytes Hidden from Windows API.
C:\Ben Home\Files Part\Thumbs.db:encryptable 11/25/2005 2:32
PM 0 bytes Hidden from Windows API.
C:\Ben Home\Firehouse pictures\Thumbs.db:encryptable
11/25/2005 2:32 PM 0 bytes Hidden from Windows API.
C:\Ben Home\Hold\Thumbs.db:encryptable 11/25/2005 2:32 PM 0
bytes Hidden from Windows API.
C:\Ben Home\Install\Thumbs.db:encryptable 11/25/2005 2:32
PM 0 bytes Hidden from Windows API.
C:\Ben Home\Rohit\Thumbs.db:encryptable 11/25/2005 2:32 PM 0
bytes Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\4.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\5.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\6.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\7.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\8.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\Ben Pictures\Thumbs.db:encryptable
11/25/2005 2:03 PM 0 bytes Hidden from Windows API.
C:\Ben Temp\Thumbs.db:encryptable 11/25/2005 2:03 PM 0
bytes Hidden from Windows API.
C:\Dell returns\Thumbs.db:encryptable 11/25/2005 2:02 PM 0
bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\
Symantec Order Confirmation For Order
..eml:Zone.Identifier 11/25/2005 1:59 PM 26 bytes
Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\123flash2.exe:Zone.Identifier 11/25/2005 1:59 PM
26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\2005_10_08\misc photos\Thumbs.db:encryptable
11/25/2005 2:00 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\2005_10_08\Thumbs.db:encryptable 11/25/2005 2:00 PM 0
bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\888
Project\888_budget_Option_3.pdf:Zone.Identifier
11/25/2005 2:00 PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\888
888_budget_option_7.pdf:Zone.Identifier
11/25/2005 2:00 PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\888
\_888_REVISED.pdf:Zone.Identifier
11/25/2005 2:00 PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\888_budget_Option_3.pdf:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\888_budget_option_7.pdf:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\888LorerREVISED.pdf:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\added photos wall leak\Thumbs.db:encryptable
11/25/2005 2:00 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\atcfloorplan72dpi.tif:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\desk
brackets\Thumbs.db:encryptable 11/25/2005 2:00 PM 0 bytes
Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\SCW
Key - sckey:Zone.Identifier 11/25/2005 1:59 PM
26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\D
Note that I have many encrypted files on this system
Rootkit report posted as follows:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/26/2005 1:13
AM 80 bytes Data mismatch between Windows API and raw
hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\Start
11/26/2005 1:10 AM 4 bytes Data mismatch between Windows API
and raw hive data.
C:\ATC WORK\Rohit\022005\atc 15Feb.xls:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\ATC WORK\Rohit\022005\ATC.PACKING.xls:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\ATC WORK\Rohit\032005\ATC pf.xls:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\123flash2.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\1clickdvdcopysetup.exe:Zone.Identifier
11/26/2005 12:10 AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\aawsepro.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\acadfc3.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\Card 2000 copy paste
fix\riched20.dll:Zone.Identifier 11/25/2005 2:07 PM
26 bytes Hidden from Windows API.
C:\Ben Downloads\ccsetup124.exe:Zone.Identifier 11/26/2005 12:10
AM 26 bytes Hidden from Windows API.
C:\Ben Downloads\dell bebug floppy maker
CDENAB.EXE:Zone.Identifier 11/26/2005 12:11 AM 26 bytes
Hidden from Windows API.
C:\Ben Downloads\Dell Bios\ws470a03.exe:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\Dell Bios\WS470A05.EXE:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\lusetup-lt.exe:Zone.Identifier 11/25/2005 2:39
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\nav 2006 setup.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\SCP_1742.exe:Zone.Identifier 11/25/2005 2:39
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\SCW Key - .sckey:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\Spy Sweeper 045\Spy Sweeper Dll
Hooks.zip:Zone.Identifier 11/25/2005 2:07 PM 26 bytes
Hidden from Windows API.
C:\Ben Downloads\Spy Sweeper
041805\sspsetup1_1804929842.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\spybotsd14rc.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\spywareblastersetup.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\spywareblastersetup33.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\sspsetup1_188186.exe:Zone.Identifier
11/25/2005 2:39 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\symantec all program removal
tool\SymNRT.exe:Zone.Identifier 11/25/2005 2:07 PM 26 bytes
Hidden from Windows API.
C:\Ben Downloads\update.exe:Zone.Identifier 11/25/2005 2:39
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\US English Words to Correct.3sc:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\us.extra01.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\WinZip 9\winzip90.exe:Zone.Identifier
11/25/2005 2:07 PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\winzip90.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Downloads\wzipse22.exe:Zone.Identifier 11/25/2005 2:07
PM 26 bytes Hidden from Windows API.
C:\Ben Email Data\72 dpi jpegs\Thumbs.db:encryptable
11/25/2005 2:07 PM 0 bytes Hidden from Windows API.
C:\Ben Home\Files Part\Thumbs.db:encryptable 11/25/2005 2:32
PM 0 bytes Hidden from Windows API.
C:\Ben Home\Firehouse pictures\Thumbs.db:encryptable
11/25/2005 2:32 PM 0 bytes Hidden from Windows API.
C:\Ben Home\Hold\Thumbs.db:encryptable 11/25/2005 2:32 PM 0
bytes Hidden from Windows API.
C:\Ben Home\Install\Thumbs.db:encryptable 11/25/2005 2:32
PM 0 bytes Hidden from Windows API.
C:\Ben Home\Rohit\Thumbs.db:encryptable 11/25/2005 2:32 PM 0
bytes Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\4.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\5.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\6.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\7.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\ATC Catalogs\Lehman
Cloths\8.jpg:Zone.Identifier 11/25/2005 2:05 PM 26 bytes
Hidden from Windows API.
C:\Ben Temp\Ben Work\Ben Pictures\Thumbs.db:encryptable
11/25/2005 2:03 PM 0 bytes Hidden from Windows API.
C:\Ben Temp\Thumbs.db:encryptable 11/25/2005 2:03 PM 0
bytes Hidden from Windows API.
C:\Dell returns\Thumbs.db:encryptable 11/25/2005 2:02 PM 0
bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\
Symantec Order Confirmation For Order
..eml:Zone.Identifier 11/25/2005 1:59 PM 26 bytes
Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\123flash2.exe:Zone.Identifier 11/25/2005 1:59 PM
26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\2005_10_08\misc photos\Thumbs.db:encryptable
11/25/2005 2:00 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\2005_10_08\Thumbs.db:encryptable 11/25/2005 2:00 PM 0
bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\888
Project\888_budget_Option_3.pdf:Zone.Identifier
11/25/2005 2:00 PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\888
888_budget_option_7.pdf:Zone.Identifier
11/25/2005 2:00 PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\888
\_888_REVISED.pdf:Zone.Identifier
11/25/2005 2:00 PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\888_budget_Option_3.pdf:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\888_budget_option_7.pdf:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\888LorerREVISED.pdf:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\added photos wall leak\Thumbs.db:encryptable
11/25/2005 2:00 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop
Folder\atcfloorplan72dpi.tif:Zone.Identifier 11/25/2005 1:59
PM 26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\desk
brackets\Thumbs.db:encryptable 11/25/2005 2:00 PM 0 bytes
Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\Desktop\Desktop Folder\SCW
Key - sckey:Zone.Identifier 11/25/2005 1:59 PM
26 bytes Hidden from Windows API.
C:\Documents and Settings\Ben Kaufman\D