Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed: Whats the meaning of this?
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Whats the meaning of this?
 Post Reply Post Reply
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Online Status: Offline
Posts: 3861 		Post Options Post Options   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Topic: Whats the meaning of this?
    Posted: 06 March 2006 at 11:15am
i guess the readings are there, cause i had tbtray running.

If it was potentially making periodic filesystem changes (temp files etc), that could explain it.
Gil
Back to Top
ghik View Drop Down
Newbie
Newbie


Joined: 05 March 2006
Online Status: Offline
Posts: 3 		Post Options Post Options   Quote ghik Quote  Post ReplyReply Direct Link To This Post Posted: 06 March 2006 at 11:07am

In your first scan, you appeared to be using the PC during the scan.
but didn'T do so. i guess the readings are there, cause i had tbtray running.
In the third you disabled the Hide NTFS Metadata Files option.
yes.
i made three scans, cause i wasn't sure wheter the adobe mismatch was due to adobe version key, whicch was running during the first scan, too.
and thanks for that link.
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Online Status: Offline
Posts: 3861 		Post Options Post Options   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 05 March 2006 at 2:45pm
the second scan:

HKLM\S-1-5-21-1659004503-2077806209-725345543-1003\Softwar e\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath  &n bsp;  17.12.2005 22:28    87 bytes    Data mismatch between Windows API and raw hive data.

So this item is the only consistent report, yes? It looks like the same issue as discussed here, i.e. nothing to worry about.

In your first scan, you appeared to be using the PC during the scan.   In the third you disabled the Hide NTFS Metadata Files option.
Gil
Back to Top
ghik View Drop Down
Newbie
Newbie


Joined: 05 March 2006
Online Status: Offline
Posts: 3 		Post Options Post Options   Quote ghik Quote  Post ReplyReply Direct Link To This Post Posted: 05 March 2006 at 2:32pm
the second scan:

HKLM\S-1-5-21-1659004503-2077806209-725345543-1003\Softwar e\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath  &n bsp;  17.12.2005 22:28    87 bytes    Data mismatch between Windows API and raw hive data.

and the third one showed something similar:
HKLM\S-1-5-21-1659004503-2077806209-725345543-1003\Softwar e\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath &n bsp;  17.12.2005 22:28    87 bytes    Data mismatch between Windows API and raw hive data.
C:\$AttrDef    16.08.2005 23:35    2.50 KB    Hidden from Windows API.
C:\$BadClus    16.08.2005 23:35    0 bytes    Hidden from Windows API.
C:\$BadClus:$Bad    16.08.2005 23:35    34.26 GB    Hidden from Windows API.
C:\$Bitmap    16.08.2005 23:35    1.07 MB    Hidden from Windows API.
C:\$Boot    16.08.2005 23:35    8.00 KB    Hidden from Windows API.
C:\$Extend    16.08.2005 23:35    0 bytes    Hidden from Windows API.
C:\$Extend\$ObjId    16.08.2005 23:35    0 bytes    Hidden from Windows API.
C:\$Extend\$Quota    16.08.2005 23:35    0 bytes    Hidden from Windows API.
C:\$Extend\$Reparse    16.08.2005 23:35    0 bytes    Hidden from Windows API.
C:\$Extend\$UsnJrnl    07.12.2005 21:14    0 bytes    Hidden from Windows API.
C:\$Extend\$UsnJrnl:$Max    07.12.2005 21:14    32 bytes    Hidden from Windows API.
C:\$LogFile    16.08.2005 23:35    64.00 MB    Hidden from Windows API.
C:\$MFT    16.08.2005 23:35    94.77 MB    Hidden from Windows API.
C:\$MFTMirr    16.08.2005 23:35    4.00 KB    Hidden from Windows API.
C:\$Secure    16.08.2005 23:35    0 bytes    Hidden from Windows API.
C:\$UpCase    16.08.2005 23:35    128.00 KB    Hidden from Windows API.
C:\$Volume    16.08.2005 23:35    0 bytes    Hidden from Windows API.
Back to Top
ghik View Drop Down
Newbie
Newbie


Joined: 05 March 2006
Online Status: Offline
Posts: 3 		Post Options Post Options   Quote ghik Quote  Post ReplyReply Direct Link To This Post Posted: 05 March 2006 at 1:34pm
Just ran a scan and got the following:

HKLM\S-1-5-21-1659004503-2077806209-725345543-1003\Softwar e\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath &a mp;n bsp;  17.12.2005 22:28    87 bytes    Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CHROME\shell\open\ddeexec   ; ;  05.03.2006 18:57    0 bytes    Hidden from Windows API.
HKLM\SOFTWARE\Classes\ftp\shell\open\ddeexec  &a mp;n bsp; 05.03.2006 18:57    0 bytes    Hidden from Windows API.
HKLM\SOFTWARE\Classes\gopher\shell\open\ddeexec   ; ;  05.03.2006 18:57    0 bytes    Hidden from Windows API.
HKLM\SOFTWARE\Classes\HTTP\shell\open\ddeexec  & amp; nbsp; 05.03.2006 18:57    0 bytes    Hidden from Windows API.
HKLM\SOFTWARE\Classes\https\shell\open\ddeexec     05.03.2006 18:57    0 bytes    Hidden from Windows API.
C:\Dokumente und Einstellungen\Paul\Lokale Einstellungen\Temp\~DFD0A6.tmp&am p;nb sp;   05.03.2006 20:06    16.00 KB    Hidden from Windows API.
C:\Dokumente und Einstellungen\Paul\Lokale Einstellungen\Temp\~DFD0B4.tmp&am p;nb sp;   05.03.2006 20:06    512 bytes    Hidden from Windows API.
C:\Dokumente und Einstellungen\Paul\Lokale Einstellungen\Temporary Internet Files\Content.IE5\6RIU6Q3R\CAOCBL53.HTM    0 5.03.2006 20:06    1.15 KB    Hidden from Windows API.

can someone explain me what this means? especially the adobe software. i have photoshop cs2 installed on my system.

thank you


Edited by ghik - 05 March 2006 at 2:34pm
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down