CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[DONE]please help rootkit prob

 
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
tiuman

Trooper
Trooper


Joined: Feb 02, 2008
Posts: 10
Location: Philippines
PostPosted: Sat Feb 02, 2008 6:16 am    Post subject: please help rootkit prob
Reply with quote

how can i remove these rootkits?
heres the log from rootkit revealer:

HKLM\SECURITY\Policy\Secrets\SAC* 11/20/2007 11:32 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/20/2007 11:32 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/2/2008 12:53 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 12/8/2007 2:48 AM 0 bytes Access is denied.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Office 2/2/2008 1:18 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Office\Groove 2/2/2008 1:18 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Office\Groove\System 2/2/2008 1:18 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Office\Groove\User 2/2/2008 1:18 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\NetworkService\Recent 2/2/2008 1:18 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\NetworkService\Recent\Desktop.ini 2/2/2008 1:18 PM 150 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\cookies-3.txt 2/2/2008 1:13 PM 862 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\sessionstore-2.js 2/2/2008 1:13 PM 28.32 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\sessionstore-3.js 2/2/2008 1:14 PM 28.47 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\0F1B7525d01 2/2/2008 1:15 PM 20.38 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\19C9DF1Ed01 2/1/2008 12:23 PM 28.08 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\1E07D51Dd01 2/2/2008 1:19 PM 24.79 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\241E0A6Dd01 2/1/2008 6:57 AM 24.89 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\2816286Ad01 2/2/2008 1:09 PM 32.42 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\2C412BC7d01 1/31/2008 11:01 PM 233.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\2C5482E2d01 2/1/2008 9:51 AM 39.82 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\317E8A5Fd01 2/1/2008 6:51 AM 25.22 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\36EB55F7d01 2/2/2008 1:18 PM 180.20 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\426252C8d01 2/2/2008 1:05 PM 20.42 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\480F837Fd01 2/2/2008 1:08 PM 20.44 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\53D9C91Fd01 2/1/2008 6:54 AM 20.67 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\54EADE8Fd01 2/2/2008 1:17 PM 24.84 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\613B549Dd01 2/2/2008 1:05 PM 92.74 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\8E0F37DEd01 2/2/2008 1:09 PM 22.87 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\97E73702d01 2/2/2008 1:08 PM 22.01 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\ADE58809d01 2/2/2008 1:05 PM 105.05 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\ADE59BFBd01 2/2/2008 1:05 PM 114.53 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\BE3D20F2d01 1/11/2008 6:26 AM 130.08 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\C1921F29d01 2/1/2008 2:18 PM 21.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\C6377F1Bd01 1/28/2008 12:01 PM 64.31 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\DA1CD4E7d01 2/2/2008 1:09 PM 67.19 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Application Data\Mozilla\Firefox\Profiles\444sa1pl.default\Cache\FDD52D06d01 1/31/2008 9:08 AM 35.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\History\History.IE5\MSHist012008020220080203 2/2/2008 1:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\History\History.IE5\MSHist012008020220080203\index.dat 2/2/2008 1:17 PM 32.00 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\FAP1AB.tmp 2/2/2008 1:12 PM 4 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH19A.tmp 2/2/2008 1:09 PM 1.21 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH19C.tmp 2/2/2008 1:09 PM 2.61 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH19E.tmp 2/2/2008 1:09 PM 5.41 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1A0.tmp 2/2/2008 1:09 PM 3.54 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1A2.tmp 2/2/2008 1:10 PM 4.59 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1A4.tmp 2/2/2008 1:10 PM 1.23 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1A6.tmp 2/2/2008 1:10 PM 1.51 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1A8.tmp 2/2/2008 1:10 PM 1.84 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1AA.tmp 2/2/2008 1:11 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1AC.tmp 2/2/2008 1:13 PM 10.24 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1B3.tmp 2/2/2008 1:14 PM 566 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1B5.tmp 2/2/2008 1:14 PM 20.38 KB Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1CA.tmp 2/2/2008 1:15 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1CB.tmp 2/2/2008 1:15 PM 764 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1CD.tmp 2/2/2008 1:16 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Local Settings\Temp\IH1CE.tmp 2/2/2008 1:16 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Recent\Eula.txt.lnk 2/2/2008 1:17 PM 484 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Recent\RootkitRevealer.lnk 2/2/2008 1:17 PM 351 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Recent\TMRB00001.TXT.lnk 2/2/2008 1:18 PM 626 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Recent\TMRB00002.TXT.lnk 2/2/2008 1:18 PM 626 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Recent\TMRB00003.TXT.lnk 2/2/2008 1:18 PM 626 bytes Hidden from Windows API.
C:\Documents and Settings\Tyrone Q. Tiu\Recent\TMRBLog.lnk 2/2/2008 1:18 PM 444 bytes Hidden from Windows API.
Back to top
View users profile Send private message
Cudni

Special Response Team


Joined: Dec 10, 2002
Posts: 3721
Location: Et In Arcadia ego
MIRT MVP SRT

PostPosted: Sat Feb 02, 2008 3:24 pm    Post subject:
Reply with quote

just because they show up in RR it doesn't mean they are rootkits Smile

see
http://forum.sysinternals.com/forum_posts.asp?TID=2408

Cudni


_________________
Hecho en Mexico
Back to top
View users profile Send private message Visit posters website
tiuman

Trooper
Trooper


Joined: Feb 02, 2008
Posts: 10
Location: Philippines
PostPosted: Sat Feb 02, 2008 4:44 pm    Post subject:
Reply with quote

ahh ok i thought there was really something wrong, i was really alarmed hehe
i also tried other anti rootkit sw, and only rr had those results
well, thanks cudni.. now i know
i should have research first before posting tnx again
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
134ppm 0.239s (0.037s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer