HKLM\SECURITY\Policy\Secrets\SAC* 7/2/2007 1:35 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 7/2/2007 1:35 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{148f1a14-53f3-4074-a573-e1ccd344e1d0}* 7/2/2007 1:18 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 8/4/2007 5:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{76db1bf3-e820-4765-a1b2-0b16a86b1950}* 7/2/2007 2:43 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32\ThreadingModel 7/2/2007 11:03 PM 5 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\CpqCiDrv.SYS\ComponentXmlPath 8/8/2007 6:57 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\CpqCiDrv.SYS\ComponentFileName 8/8/2007 6:57 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cpqcissm.dll\ComponentXmlPath 8/8/2007 6:56 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cpqcissm.dll\ComponentFileName 8/8/2007 6:56 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cpqimlv.exe\ComponentXmlPath 8/8/2007 6:58 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cpqimlv.exe\ComponentFileName 8/8/2007 6:58 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cpqrcmc.exe\ComponentXmlPath 8/8/2007 6:57 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cpqrcmc.exe\ComponentFileName 8/8/2007 6:57 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cqmgstor.exe\ComponentXmlPath 8/8/2007 7:02 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\cqmgstor.exe\ComponentFileName 8/8/2007 7:02 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\hpdiags.exe\ComponentXmlPath 8/8/2007 7:05 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\hpdiags.exe\ComponentFileName 8/8/2007 7:05 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\hponcfg.exe\ComponentXmlPath 8/8/2007 7:04 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\hponcfg.exe\ComponentFileName 8/8/2007 7:04 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\hpsmhd.exe\ComponentXmlPath 8/8/2007 6:54 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\hpsmhd.exe\ComponentFileName 8/8/2007 6:54 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\vcagent.exe\ComponentXmlPath 8/8/2007 7:01 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hewlett-Packard\Version Control\HPRevisionManagement\vcagent.exe\ComponentFileName 8/8/2007 7:01 PM 261 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\szLastScanned 1/25/2008 3:19 PM 56 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\dwFilesScanned 1/25/2008 3:19 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveUptime 1/25/2008 3:18 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveStamp 1/25/2008 3:18 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Security 7/5/2007 8:29 AM 0 bytes Security mismatch.
HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security 7/5/2007 8:29 AM 0 bytes Security mismatch.
C:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Print Settings\HP5ll9p3.cfg 1/25/2008 3:21 PM 88.92 KB Hidden from Windows API.

Do you have any symptoms? Why are you submitting a report? There is nothing in that report at all abnormal.

Thank you. the first post was produced by Microsofts RootkitRevealer When I run Macafee's Rootkit_Detective It reports . . . . . .

Object-Type: Registry-value
Object-Name: ThreadingModel
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32
Status: Registy value-data mismatch

Object-Type: IAT/EAT-hook
PID: 2444
Details: Export : Function : ADVAPI32.dll!RegOpenKeyExA => 00290000 + 0xfef
Object-Path: 00290000 + 0xfef
Status: Hooked


Is there a prefered scanner to use in this forum?

I have several systems that look like they may be infected. This one seemed to be the simplest to start with. If this one seems clean I can focus on the systems that are reporting more interesting settings such as hidden items in C:\System Volume Information.


I was unable to get either scanner to run on a windows 2003 64 bit system . . . . should the Microsoft scanner be able to work with a 64 bit system?

Well back to scanning my other systems

Thank you for any help / advice you can provide.

Hi,

That hook seen by McAfee is a legitimate MS system file.

When looking at malware, rootkits are only a specific sub-variety of them. And, it really refers to how the infection links into the system, not what it does. For any possible malware issue, you should start with a HiJackThis log in our HJT Forum here:

/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

HJT is always our first check for any form of suspected malware. Here's instructions for that:

Please click Here to download HijackThis to your desktop.

Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis

A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click on "Do a system scan and save logfile" When the log pops up in Notepad, click on the Notepad Format menu and uncheck Word Wrap, then copy and paste that file back here.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Before closing HJT, please click on the AnalyzeThis button. That sends purely statistical data to TrendMicro so they can continue to improve HJT. It does not analyze your log, it simply lists what HJT finds, both legitimate software and malware. Do not take any action or try to fix anything based upon that information. Then, close the web page that appears and then close the program HJT.

Now, this is important. Legitimate software can look like malware. Both show up in various reports. Do not do anything based on these reports unless you know exactly what you are doing. If you touch the wrong thing, you can kill the system you are working on.

As to your question about "preferred" rootkit diagnostic, we use many of them depending on what we suspect the problem is, since they all work differently.

Does the presence of hooked system files indicate a rootkit?



McAfee(R) Rootkit Detective 1.1 scan report
On 26-01-2008 at 22:14:12
OS-Version 5.2.3790
Service Pack 2.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwDeleteKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwDeleteValueKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwEnumerateKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwEnumerateValueKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwQueryKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwQueryValueKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: C:\WINDOWS\system32\ntoskrnl.exe

Object-Type: Registry-value
Object-Name: ThreadingModel
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32
Status: Registy value-data mismatch

Object-Type: IAT/EAT-hook
PID: 8004
Details: Export : Function : ADVAPI32.dll!RegOpenKeyA => 00290000 + 0xfef
Object-Path: 00290000 + 0xfef
Status: Hooked


. . . . .

=====

From

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:11 AM, on 1/29/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Autodesk\Data Management Server

5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk Network License Manager\lmgrd.exe
C:\SciNote5p5Licensing\lmgrd.exe
C:\Program Files\Autodesk Network License Manager\lmgrd.exe
C:\Program Files\flexlmPTC\i486_nt\obj\lmgrd.exe
C:\Program Files\flexlmPTC\i486_nt\obj\lmgrd.exe
C:\SciNote5p5Licensing\mackichn.exe
C:\Program Files\Autodesk Network License Manager\adskflex.exe
C:\WINDOWS\system32\nhsrvice.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MultiLink\bin\LiebertM.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\MATLAB\R2007a\flexlm\lmgrd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\MATLAB\R2007a\flexlm\lmgrd.exe
C:\Program Files\MATLAB\R2007a\flexlm\mlm.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\National Instruments\Shared\License Manager\Bin\nilm.exe
C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\dbasqlr.exe
C:\Program Files\Host Monitoring\rma.exe
C:\Program Files\Rainbow Technologies\SentinelLM 7.2.0.6 Server\English\lservnt.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\Program Files\SolidWorks SolidNetWork License Manager\SW_D.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.olympic.edu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.olympic.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.olympic.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE"

/STANDALONE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default

user')
O4 - Startup: SED acct1.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL

Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.olympic.edu
O15 - ESC Trusted Zone: http://www.oc.ctc.edu
O15 - ESC Trusted Zone: http://www.electronicsworkbench.com
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://www.mathworks.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://digital.ni.com
O15 - ESC Trusted Zone: http://search.ni.com
O15 - ESC Trusted Zone: http://sine.ni.com
O15 - ESC Trusted Zone: http://www.ni.com
O15 - ESC Trusted Zone: http://www.olympic.edu
O15 - ESC Trusted Zone: http://track.sendtraffic.com
O15 - ESC Trusted Zone: http://www.solidedge.com
O15 - ESC Trusted Zone: http://ftp.ugs.com
O15 - ESC Trusted Zone: http://support.ugs.com
O15 - ESC Trusted Zone: http://webtac.ugs.com
O15 - ESC Trusted Zone: http://www.ugs.com
O15 - ESC Trusted Zone: http://www2.ugs.com
O15 - ESC Trusted Zone: http://m.webtrends.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {4F56AFAB-9893-4500-8F5D-16EA8CA9115B} (VolumeExtractor Class) -

http://www.solidedge.com/evaluationlicense/download/SEEvalVolExt.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?118792040

7889
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?118792038

6233
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = instruction.oc.ctc.edu
O17 - HKLM\Software\..\Telephony: DomainName = instruction.oc.ctc.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE153623-22F6-4A46-8FE8-1A20986F5DD8}: Domain =

instruction.oc.ctc.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE153623-22F6-4A46-8FE8-1A20986F5DD8}: NameServer =

134.39.33.254,134.39.30.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = instruction.oc.ctc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

instruction.oc.ctc.edu,oc.ctc.edu,ctc.edu,office.oc.ctc.edu,netweb.oc.ctc.dev,oocwnw.oc.ctc.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = instruction.oc.ctc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

instruction.oc.ctc.edu,oc.ctc.edu,ctc.edu,office.oc.ctc.edu,netweb.oc.ctc.dev,oocwnw.oc.ctc.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

instruction.oc.ctc.edu,oc.ctc.edu,ctc.edu,office.oc.ctc.edu,netweb.oc.ctc.dev,oocwnw.oc.ctc.net
O23 - Service: ArcGIS License Manager - Unknown owner -

C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program

Files\Autodesk\Data Management Server

5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) - CA - C:\Program

Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
O23 - Service: CA BrightStor Universal Agent (CASUniversalAgent) - CA - C:\Program

Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. -

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. -

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company -

C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company -

C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company -

C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company -

C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company -

C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company -

C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: CA BrightStor Backup Agent RPC Server (DbaRpcService) - CA - C:\Program

Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
O23 - Service: Flexlm Autocad - Macrovision Corporation - C:\Program Files\Autodesk Network

License Manager\lmgrd.exe
O23 - Service: FLEXlm SciNote5p5 - Macrovision Corporation - C:\SciNote5p5Licensing\lmgrd.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program

Files\flexlmPTC\i486_nt\obj\lmgrd.exe
O23 - Service: HASP Loader - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\nhsrvice.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. -

C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Liebert MultiLink (LiebertM) - Liebert Corporation - C:\Program

Files\MultiLink\bin\LiebertM.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program

Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MATLAB License Server - Macrovision Corporation - C:\Program

Files\MATLAB\R2007a\flexlm\lmgrd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program

Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan

Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program

Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National

Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: CA BrightStor Backup Agent Remote Service (RemoteDbagent) - CA - C:\Program

Files\CA\SharedComponents\BrightStor\DBAcommon\dbasqlr.exe
O23 - Service: KS Remote Monitoring Agent (RMAService) - Unknown owner - C:\Program Files\Host

Monitoring\rma.exe
O23 - Service: SentinelLM - Freedom Scientific - C:\Program Files\Rainbow

Technologies\SentinelLM 7.2.0.6 Server\English\lservnt.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Program

Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation -

C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company -

C:\hp\hpsmh\bin\smhstart.exe

--
End of file - 12498 bytes

I've merged your new topic to your old one as we frown on duplicates of any kind. Continuing on...

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Then for the second server, acct1


Does the presence of the hooked system file C:\WINDOWS\system32\ntoskrnl.exe above, (Zw[Create, delete etc] Key indicate a rootkit?

Innocent SSDT hooks are very common and can be created by security applications or programs like Daemon Tools or Alcohol. It is normal to have SSDT hooks and the entry you are asking about is probably from your AV McAfee. However, Rootkit Detective's report doesn't show what is hooking the SSDT.

Rootkit SSDT hooks are very easily detectable by just about any rootkit detector. What distinguishes a rootkit is that it uses these hooks to hide and fool the OS into reporting back false information that denies its presence on the system.

There are not many rootkit tools for Win 2003 Server but BlackLight will run on it and note hidden files or processes.

I don't believe any rootkit tools run on 64 bit Win 2003 Server. Resplendence had one called RootKit Hook Analyzer, that ran on 64 bit Windows, but it has since been withdrawn for use on that platform.

You can try running the Malicious Software Removal Tool (MSRT by Microsoft)
http://www.microsoft.com/security/malwareremove/default.mspx

You can try Blacklight for Win 2003 Server (32 bit) systems.

Download BlackLight Rootkit Eliminator (the standalone version) to your desktop:
http://www.f-secure.com/blacklight/blacklight.html

There is no installation process, just click on fsbl.exe to launch the program, accept the license agreement and then click the Scan button.

Leave the system completely idle while scanning.

Directions and screenshots for running the scan can be found here (the Explorer check box is no longer implemented):
http://www.f-secure.com/blacklight/blacklight_help.html#system_requirements

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Thank you

If I need to ask about another server should I added it on to this thread?

One system at a time is preferable so there is no confusion.

BTW, Blacklight will run on 64 bit XP and Win 2003 Server systems:

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Okay, my bad.

If you are seeking help for a different computer than the one you first posted about, try indicating that in your title.


Thanks

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008