Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Friday 29.8.2025 / 15:28
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > do i have an issue with root kits?
Show topics
 
Forums
Forums
do i have an issue with root kits?
  Jump to:
 
Posted Message
narcismo
Member
_ 		4. January 2007 @ 20:04 _ Link to this message    Send private message to this user   
here is a root kit revelear log, please help a disturbed soul.
i could'nt understand this log to save my life. has my integroti(as eric cartman would say)been compromised?

HKU\S-1-5-21-329068152-1214440339-839522115-500\Software\Zepter Software\RegLib*8427c988 4/23/2006 10:18 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\2417[1].jpg 1/5/2007 12:39 AM 1.65 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\2[9].jpg 1/5/2007 12:42 AM 3.36 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\43[1].js 1/5/2007 12:37 AM 3.35 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\5[1].htm 1/5/2007 12:41 AM 29.95 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\8638[1].htm 1/5/2007 12:45 AM 17.50 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\9537[1].jpg 1/5/2007 12:40 AM 2.85 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\adjs[1].php 1/5/2007 12:44 AM 938 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\adjs[2].php 1/5/2007 12:45 AM 938 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[1].htm 1/5/2007 12:37 AM 3.70 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[2].htm 1/5/2007 12:39 AM 7.45 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[3].htm 1/5/2007 12:45 AM 7.62 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\afterdawn[1].htm 1/5/2007 12:37 AM 59.05 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\all_profiles[1].htm 1/5/2007 12:38 AM 27.68 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\forums.afterdawn[1].htm 1/4/2007 8:12 PM 87.09 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\link_arrow_1[1].gif 1/5/2007 12:37 AM 107 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\player2[1].swf 1/5/2007 12:42 AM 23.10 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2418[1].jpg 1/5/2007 12:39 AM 1.54 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\25[1].js 1/5/2007 12:37 AM 150 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2CALYC603.jpg 1/5/2007 12:42 AM 3.36 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2CAQM4CCK.jpg 1/5/2007 12:42 AM 4.09 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\43[1].js 1/4/2007 8:12 PM 3.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\6[1].htm 1/5/2007 12:41 AM 19.63 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\8629[1].htm 1/5/2007 12:45 AM 19.42 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ad_quicklists_728x90[1].gif 1/5/2007 12:42 AM 12.91 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\adjs[1].php 1/5/2007 12:37 AM 1.02 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ads[5].htm 1/5/2007 12:37 AM 9.66 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ads[6].htm 1/5/2007 12:39 AM 3.84 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\favicon[2].ico 1/5/2007 12:37 AM 318 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\KLOS[1].jpg 1/5/2007 12:45 AM 130.95 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\my_tab_selected[1].gif 1/5/2007 12:39 AM 2.24 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\P1010162w[1].jpg 1/5/2007 12:45 AM 130.45 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\0000008707_000000000000000385479[1].swf 1/5/2007 12:36 AM 26.47 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\2CACARZKK.jpg 1/5/2007 12:42 AM 2.51 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\2CAZMDFEI.jpg 1/5/2007 12:42 AM 2.56 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\7106[1].jpg 1/5/2007 12:40 AM 2.83 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\7150[1].jpg 1/5/2007 12:39 AM 2.54 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8400[1].jpg 1/5/2007 12:37 AM 2.89 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8692[1].jpg 1/5/2007 12:44 AM 2.68 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8773[1].jpg 1/5/2007 12:44 AM 1.72 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\activate_object[1].js 1/5/2007 12:37 AM 126 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\adjs[1].php 1/5/2007 12:39 AM 938 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\ads[1].htm 1/5/2007 12:40 AM 9.65 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\ads[2].htm 1/5/2007 12:44 AM 9.76 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\glow-art1[1].jpg 1/5/2007 12:45 AM 72.50 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\glow-art2[1].jpg 1/5/2007 12:45 AM 98.50 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\n[1].htm 1/5/2007 12:40 AM 27.00 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\star_create[1].gif 1/5/2007 12:37 AM 16.04 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2216[1].jpg 1/5/2007 12:37 AM 3.72 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2437[1].jpg 1/5/2007 12:39 AM 1.71 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\25[1].js 1/4/2007 8:12 PM 150 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2[10].jpg 1/5/2007 12:42 AM 4.95 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\40[1].js 1/5/2007 12:37 AM 754 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\6899[1].jpg 1/5/2007 12:40 AM 4.14 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\7149[1].jpg 1/5/2007 12:39 AM 2.47 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\8629[1].jpg 1/5/2007 12:44 AM 2.81 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\adjs[1].php 1/5/2007 12:40 AM 938 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\dsstrlght[1].htm 1/5/2007 12:44 AM 24.98 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\forums.afterdawn[1].htm 1/5/2007 12:37 AM 86.99 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\P1010071w[1].jpg 1/5/2007 12:45 AM 61.21 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\P1010172w[1].jpg 1/5/2007 12:45 AM 63.24 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\title_topimages[1].gif 1/5/2007 12:37 AM 1.99 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\video_bar_yts1157352107[1].js 1/5/2007 12:42 AM 10.06 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2419[1].jpg 1/5/2007 12:39 AM 3.38 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2420[1].jpg 1/5/2007 12:39 AM 3.45 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2[10].jpg 1/5/2007 12:42 AM 3.69 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2[11].jpg 1/5/2007 12:42 AM 2.64 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\4239[1].jpg 1/5/2007 12:37 AM 2.99 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\7148[1].jpg 1/5/2007 12:39 AM 2.47 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\adjs[1].php 1/5/2007 12:37 AM 1014 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\d[1].htm 1/5/2007 12:41 AM 28.26 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\Happy-new-year[1].jpg 1/5/2007 12:
wow thats alot of info.



thanks in advance
any help is very much appreciated.
[ + quote]
Advertisement
_ 		__
bkf
Suspended due to non-functional email address
_ 		5. January 2007 @ 11:28 _ Link to this message    Send private message to this user   
Just a quick observation. When doing these tests the first thing everybody needs to do is clean out their temp files and cookie folders. (something they should be doing everyday and shut off all not necessary known programs)Makes life so much easyier. If it's a root kit it won't delete. No shot intended, fact is with your post I ran a RKR to to check my system and it came up with the same 7 imbeded nulls from 2004 and the mystry hidden empty file from the api on my desk top that has been there for ever and can only be seen if you turn on view all hidden files. Your RKR looks ok to me but the big guns have to give it their blessing. To me in your case all but 3 are in temp folders. Empty them and run again to be sure. Don't touch the system while RKR runs. Good luck Bk

ps: don't feel bad, RKR logs can be tough to read :-)
[ + quote]

This message has been edited since posting. Last time this message was edited on 5. January 2007 @ 11:35
narcismo
Member
_ 		5. January 2007 @ 16:31 _ Link to this message    Send private message to this user   
bkf,
thanks 4 the heads up.
Quote:
When doing these tests the first thing everybody needs to do is clean out their temp files and cookie folders.
i did'nt know that, but know that i see all those temp files(and the coreponding dates) it should have dawned on me. anyway, i'll give my machine a quick flush and post back.


in the future(when i try to read these logs) is there a certain file size that might might set off a "red flag",(in other words...is there a min. file size i can ignore?).i see they are all very small.
[ + quote]

This message has been edited since posting. Last time this message was edited on 5. January 2007 @ 17:51
narcismo
Member
_ 		5. January 2007 @ 17:07 _ Link to this message    Send private message to this user   
ok, now this is a bit more readable:-)
see what u think.

HKU\S-1-5-21-329068152-1214440339-839522115-500\Software\Zepter Software\RegLib*8427c988 4/23/2006 10:18 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Administrator\Local Settings\Temp\rtdrvmon.exe 1/5/2007 9:51 PM 40.00 KB Hidden from Windows API.


know of any links for a RKR guide
[ + quote]
bkf
Suspended due to non-functional email address
_ 		5. January 2007 @ 22:00 _ Link to this message    Send private message to this user   
Ill search up your 4 log items. 2 are ok. I bet the other two are also ok but I want to make sure. The instruction manual should come with the .zip file. (if ya can read it LOL) It's worse then the logs. I would not limit RKR in any way. Some stuff can be quite small. A good thing I learned here at AD is to not touch the system as it scans. RKR seems to pick up on that and adds entries. Bunch of good people here!

One thing troubles me
"C:\Documents and Settings\Administrator\Local Settings\Temp"
Are you running off you administrator account? That is not a good thing. Those temp files should be going to a user account you make. That account has the same rights as the admin account.

All my temp stuff goes to C:\Documents and settings\my user name\Local Settings\Temp

There is also a temp folder in C:/windows not to far under the prefetch folder.
[ + quote]

This message has been edited since posting. Last time this message was edited on 6. January 2007 @ 04:34
narcismo
Member
_ 		7. January 2007 @ 15:49 _ Link to this message    Send private message to this user   
thanks again for the help and the heads-up re:temp folder(long story),
meant to change that. i'll do it now before i forget again.


have a good one
[ + quote]
Advertisement
_ 		__
 
_
bkf
Suspended due to non-functional email address
_ 		8. January 2007 @ 04:18 _ Link to this message    Send private message to this user   
Some day you can tell me that story, sounds interesting :-)
As far as I can tell your RKR is clean, actually better then mine but I know my entries are harmless.
[ + quote]
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > do i have an issue with root kits?
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork