Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed: Checking out my Log
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Checking out my Log
 Post Reply Post Reply
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
southcot View Drop Down
Newbie
Newbie


Joined: 16 February 2006
Location: United Kingdom
Online Status: Offline
Posts: 6 		Post Options Post Options   Quote southcot Quote  Post ReplyReply Direct Link To This Post Topic: Checking out my Log
    Posted: 27 March 2006 at 6:04am
Thanks for your help
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Online Status: Offline
Posts: 3861 		Post Options Post Options   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2006 at 6:02am
Googling for the CLSIDs is the immediate route for trying to identify their origin. Since the keys showed 0 bytes in size then there's not much more to do on that score.

Edited by namrehto - 27 March 2006 at 8:25am
Gil
Back to Top
southcot View Drop Down
Newbie
Newbie


Joined: 16 February 2006
Location: United Kingdom
Online Status: Offline
Posts: 6 		Post Options Post Options   Quote southcot Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2006 at 3:56am
Wuth regard to the null entries in the registry, I did a google and forum search for the CLSIDS but they found nothing conculsive. Is there any way of telling whether the entries relate to an legitmate piece of software or not?
Back to Top
southcot View Drop Down
Newbie
Newbie


Joined: 16 February 2006
Location: United Kingdom
Online Status: Offline
Posts: 6 		Post Options Post Options   Quote southcot Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2006 at 3:53am
Many Thanks - just got this from the Seti forum too.
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Online Status: Offline
Posts: 3861 		Post Options Post Options   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2006 at 2:46am
They're all false positives due to changes while RKR was scanning, some maybe due to unfortunately timed background maintenance. Next time prevent the SETI software from running and ensure you don't use the machine.
Gil
Back to Top
southcot View Drop Down
Newbie
Newbie


Joined: 16 February 2006
Location: United Kingdom
Online Status: Offline
Posts: 6 		Post Options Post Options   Quote southcot Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2006 at 1:25am
I have run RootKitRevealer and am including the log below. Being new to this I have done my best to clarify the results. I would however welcome any observations on my interpretation.

I have removed the keys using RegDelNull in lines 1 & 2.It would seem form other posts on the forum that line 3 is a false positive as are lines 8 to 32. I have posted a request for clarification on the BOINC entries at the SETI Site
  1. HKLM\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B 40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-B A9C-F3FADF03D99AF0E6}*    28/10/2005 02:04    0 bytes    Key name contains embedded nulls (*)
  2. HKLM\SOFTWARE\Classes\CLSID\{F2F43379-985D-E7AE-2F5BD6B18999 A07F}\{64C9A7C2-676E-3AEC-13AF6B278F65FD89}\{7B815B3C-162E-0 96A-EBEBEFD33B1AE416}*    29/10/2005 15:23    0 bytes    Key name contains embedded nulls (*)
  3. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed  &nb sp; 25/03/2006 18:42    80 bytes    Data mismatch between Windows API and raw hive data.
  4. C:\Program Files\BOINC\projects\setiathome.berkeley.edu\13oc02aa.19035. 9169.761084.1.218_2_0    25/03/2006 19:50    7.14 KB    Hidden from Windows API.
  5. C:\Program Files\BOINC\projects\setiathome.berkeley.edu\20dc98aa.26871. 22033.386062.1.192    25/03/2006 00:07    353.57 KB    Visible in Windows API, but not in MFT or directory index.
  6. C:\Program Files\BOINC\projects\setiathome.berkeley.edu\20dc98aa.26871. 22033.386062.1.192_2_0    25/03/2006 18:05    10.04 KB    Visible in Windows API, but not in MFT or directory index.
  7. C:\Program Files\BOINC\projects\setiathome.berkeley.edu\20dc98aa.26871. 29969.779842.1.132    25/03/2006 20:00    353.60 KB    Hidden from Windows API.
  8. C:\System Volume Information\catalog.wci\00010007.ci    25/03/2006 17:04    308.00 KB    Visible in Windows API, directory index, but not in MFT.
  9. C:\System Volume Information\catalog.wci\00010008.ci    25/03/2006 17:08    504.00 KB    Visible in Windows API, directory index, but not in MFT.
  10. C:\System Volume Information\catalog.wci\00010008.dir    25/03/2006 17:08    4.26 KB    Visible in Windows API, directory index, but not in MFT.
  11. C:\System Volume Information\catalog.wci\00010009.ci    25/03/2006 17:20    140.00 KB    Visible in Windows API, directory index, but not in MFT.
  12. C:\System Volume Information\catalog.wci\00010009.dir    25/03/2006 17:20    1.40 KB    Visible in Windows API, directory index, but not in MFT.
  13. C:\System Volume Information\catalog.wci\0001000A.ci    25/03/2006 17:25    652.00 KB    Visible in Windows API, directory index, but not in MFT.
  14. C:\System Volume Information\catalog.wci\0001000A.dir    25/03/2006 17:25    8.72 KB    Visible in Windows API, directory index, but not in MFT.
  15. C:\System Volume Information\catalog.wci\0001000B.ci    25/03/2006 17:31    400.00 KB    Visible in Windows API, directory index, but not in MFT.
  16. C:\System Volume Information\catalog.wci\0001000B.dir    25/03/2006 17:31    3.20 KB    Visible in Windows API, directory index, but not in MFT.
  17. C:\System Volume Information\catalog.wci\0001000C.ci    25/03/2006 17:48    268.00 KB    Visible in Windows API, but not in MFT or directory index.
  18. C:\System Volume Information\catalog.wci\0001000C.dir    25/03/2006 17:48    1.96 KB    Visible in Windows API, but not in MFT or directory index.
  19. C:\System Volume Information\catalog.wci\0001000D.ci    25/03/2006 18:11    268.00 KB    Visible in Windows API, but not in MFT or directory index.
  20. C:\System Volume Information\catalog.wci\0001000D.dir    25/03/2006 18:11    1.90 KB    Visible in Windows API, but not in MFT or directory index.
  21. C:\System Volume Information\catalog.wci\0001000E.ci    25/03/2006 18:54    284.00 KB    Visible in Windows API, but not in MFT or directory index.
  22. C:\System Volume Information\catalog.wci\0001000E.dir    25/03/2006 18:54    2.09 KB    Visible in Windows API, but not in MFT or directory index.
  23. C:\System Volume Information\catalog.wci\0001000F.ci    25/03/2006 19:14    292.00 KB    Visible in Windows API, but not in MFT or directory index.
  24. C:\System Volume Information\catalog.wci\0001000F.dir    25/03/2006 19:14    2.21 KB    Visible in Windows API, but not in MFT or directory index.
  25. C:\System Volume Information\catalog.wci\00010017.ci    25/03/2006 20:03    5.18 MB    Hidden from Windows API.
  26. C:\System Volume Information\catalog.wci\00010017.dir    25/03/2006 20:03    52.15 KB    Hidden from Windows API.
  27. C:\System Volume Information\catalog.wci\CiFLfffc.000    25/03/2006 20:20    240 bytes    Visible in directory index, but not Windows API or MFT.
  28. C:\System Volume Information\catalog.wci\CiFLfffc.001    25/03/2006 20:20    448.00 KB    Visible in directory index, but not Windows API or MFT.
  29. C:\System Volume Information\catalog.wci\CiFLfffc.002    25/03/2006 20:20    448.00 KB    Visible in directory index, but not Windows API or MFT.
  30. C:\System Volume Information\catalog.wci\CiFLfffd.000    25/03/2006 19:14    240 bytes    Visible in Windows API, MFT, but not in directory index.
  31. C:\System Volume Information\catalog.wci\CiFLfffd.001    25/03/2006 19:14    384.00 KB    Visible in Windows API, MFT, but not in directory index.
  32. C:\System Volume Information\catalog.wci\CiFLfffd.002    25/03/2006 19:14    384.00 KB    Visible in Windows API, MFT, but not in directory index.
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down