do i have an issue with root kits?

Discussion in 'Windows - Virus and spyware problems' started by narcismo, Jan 4, 2007.

  1. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    here is a root kit revelear log, please help a disturbed soul.
    i could'nt understand this log to save my life. has my integroti(as eric cartman would say)been compromised?

    HKU\S-1-5-21-329068152-1214440339-839522115-500\Software\Zepter Software\RegLib*8427c988 4/23/2006 10:18 PM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAC* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\2417[1].jpg 1/5/2007 12:39 AM 1.65 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\2[9].jpg 1/5/2007 12:42 AM 3.36 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\43[1].js 1/5/2007 12:37 AM 3.35 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\5[1].htm 1/5/2007 12:41 AM 29.95 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\8638[1].htm 1/5/2007 12:45 AM 17.50 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\9537[1].jpg 1/5/2007 12:40 AM 2.85 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\adjs[1].php 1/5/2007 12:44 AM 938 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\adjs[2].php 1/5/2007 12:45 AM 938 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[1].htm 1/5/2007 12:37 AM 3.70 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[2].htm 1/5/2007 12:39 AM 7.45 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[3].htm 1/5/2007 12:45 AM 7.62 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\afterdawn[1].htm 1/5/2007 12:37 AM 59.05 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\all_profiles[1].htm 1/5/2007 12:38 AM 27.68 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\forums.afterdawn[1].htm 1/4/2007 8:12 PM 87.09 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\link_arrow_1[1].gif 1/5/2007 12:37 AM 107 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\player2[1].swf 1/5/2007 12:42 AM 23.10 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2418[1].jpg 1/5/2007 12:39 AM 1.54 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\25[1].js 1/5/2007 12:37 AM 150 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2CALYC603.jpg 1/5/2007 12:42 AM 3.36 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2CAQM4CCK.jpg 1/5/2007 12:42 AM 4.09 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\43[1].js 1/4/2007 8:12 PM 3.38 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\6[1].htm 1/5/2007 12:41 AM 19.63 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\8629[1].htm 1/5/2007 12:45 AM 19.42 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ad_quicklists_728x90[1].gif 1/5/2007 12:42 AM 12.91 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\adjs[1].php 1/5/2007 12:37 AM 1.02 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ads[5].htm 1/5/2007 12:37 AM 9.66 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ads[6].htm 1/5/2007 12:39 AM 3.84 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\favicon[2].ico 1/5/2007 12:37 AM 318 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\KLOS[1].jpg 1/5/2007 12:45 AM 130.95 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\my_tab_selected[1].gif 1/5/2007 12:39 AM 2.24 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\P1010162w[1].jpg 1/5/2007 12:45 AM 130.45 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\0000008707_000000000000000385479[1].swf 1/5/2007 12:36 AM 26.47 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\2CACARZKK.jpg 1/5/2007 12:42 AM 2.51 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\2CAZMDFEI.jpg 1/5/2007 12:42 AM 2.56 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\7106[1].jpg 1/5/2007 12:40 AM 2.83 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\7150[1].jpg 1/5/2007 12:39 AM 2.54 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8400[1].jpg 1/5/2007 12:37 AM 2.89 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8692[1].jpg 1/5/2007 12:44 AM 2.68 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8773[1].jpg 1/5/2007 12:44 AM 1.72 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\activate_object[1].js 1/5/2007 12:37 AM 126 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\adjs[1].php 1/5/2007 12:39 AM 938 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\ads[1].htm 1/5/2007 12:40 AM 9.65 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\ads[2].htm 1/5/2007 12:44 AM 9.76 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\glow-art1[1].jpg 1/5/2007 12:45 AM 72.50 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\glow-art2[1].jpg 1/5/2007 12:45 AM 98.50 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\n[1].htm 1/5/2007 12:40 AM 27.00 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\star_create[1].gif 1/5/2007 12:37 AM 16.04 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2216[1].jpg 1/5/2007 12:37 AM 3.72 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2437[1].jpg 1/5/2007 12:39 AM 1.71 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\25[1].js 1/4/2007 8:12 PM 150 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2[10].jpg 1/5/2007 12:42 AM 4.95 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\40[1].js 1/5/2007 12:37 AM 754 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\6899[1].jpg 1/5/2007 12:40 AM 4.14 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\7149[1].jpg 1/5/2007 12:39 AM 2.47 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\8629[1].jpg 1/5/2007 12:44 AM 2.81 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\adjs[1].php 1/5/2007 12:40 AM 938 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\dsstrlght[1].htm 1/5/2007 12:44 AM 24.98 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\forums.afterdawn[1].htm 1/5/2007 12:37 AM 86.99 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\P1010071w[1].jpg 1/5/2007 12:45 AM 61.21 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\P1010172w[1].jpg 1/5/2007 12:45 AM 63.24 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\title_topimages[1].gif 1/5/2007 12:37 AM 1.99 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\video_bar_yts1157352107[1].js 1/5/2007 12:42 AM 10.06 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2419[1].jpg 1/5/2007 12:39 AM 3.38 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2420[1].jpg 1/5/2007 12:39 AM 3.45 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2[10].jpg 1/5/2007 12:42 AM 3.69 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2[11].jpg 1/5/2007 12:42 AM 2.64 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\4239[1].jpg 1/5/2007 12:37 AM 2.99 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\7148[1].jpg 1/5/2007 12:39 AM 2.47 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\adjs[1].php 1/5/2007 12:37 AM 1014 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\d[1].htm 1/5/2007 12:41 AM 28.26 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\Happy-new-year[1].jpg 1/5/2007 12:
    wow thats alot of info.

    [​IMG]
    thanks in advance
    any help is very much appreciated.
     
    narcismo, Jan 4, 2007
    #1
  2. bkf

    bkf Guest

    Just a quick observation. When doing these tests the first thing everybody needs to do is clean out their temp files and cookie folders. (something they should be doing everyday and shut off all not necessary known programs)Makes life so much easyier. If it's a root kit it won't delete. No shot intended, fact is with your post I ran a RKR to to check my system and it came up with the same 7 imbeded nulls from 2004 and the mystry hidden empty file from the api on my desk top that has been there for ever and can only be seen if you turn on view all hidden files. Your RKR looks ok to me but the big guns have to give it their blessing. To me in your case all but 3 are in temp folders. Empty them and run again to be sure. Don't touch the system while RKR runs. Good luck Bk

    ps: don't feel bad, RKR logs can be tough to read :)
     
    Last edited by a moderator: Jan 5, 2007
    bkf, Jan 5, 2007
    #2
  3. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    bkf,
    thanks 4 the heads up.
    i did'nt know that, but know that i see all those temp files(and the coreponding dates) it should have dawned on me. anyway, i'll give my machine a quick flush and post back.
    [​IMG]
    in the future(when i try to read these logs) is there a certain file size that might might set off a "red flag",(in other words...is there a min. file size i can ignore?).i see they are all very small.
     
    Last edited: Jan 5, 2007
    narcismo, Jan 5, 2007
    #3
  4. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    ok, now this is a bit more readable:)
    see what u think.

    HKU\S-1-5-21-329068152-1214440339-839522115-500\Software\Zepter Software\RegLib*8427c988 4/23/2006 10:18 PM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAC* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
    C:\Documents and Settings\Administrator\Local Settings\Temp\rtdrvmon.exe 1/5/2007 9:51 PM 40.00 KB Hidden from Windows API.
    [​IMG]
    know of any links for a RKR guide
     
    narcismo, Jan 5, 2007
    #4
  5. bkf

    bkf Guest

    Ill search up your 4 log items. 2 are ok. I bet the other two are also ok but I want to make sure. The instruction manual should come with the .zip file. (if ya can read it LOL) It's worse then the logs. I would not limit RKR in any way. Some stuff can be quite small. A good thing I learned here at AD is to not touch the system as it scans. RKR seems to pick up on that and adds entries. Bunch of good people here!

    One thing troubles me
    "C:\Documents and Settings\Administrator\Local Settings\Temp"
    Are you running off you administrator account? That is not a good thing. Those temp files should be going to a user account you make. That account has the same rights as the admin account.

    All my temp stuff goes to C:\Documents and settings\my user name\Local Settings\Temp

    There is also a temp folder in C:/windows not to far under the prefetch folder.
     
    Last edited by a moderator: Jan 6, 2007
    bkf, Jan 5, 2007
    #5
  6. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    thanks again for the help and the heads-up re:temp folder(long story),
    meant to change that. i'll do it now before i forget again.
    [​IMG]
    have a good one

     
    narcismo, Jan 7, 2007
    #6
  7. bkf

    bkf Guest

    Some day you can tell me that story, sounds interesting :)
    As far as I can tell your RKR is clean, actually better then mine but I know my entries are harmless.
     
    bkf, Jan 8, 2007
    #7

Share This Page