1.

Solve : Rootkit scan log...?

Answer»

I've been scanning for rootkits with RootkitReveal and came up with the following log which I do not understand at all:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed      4/15/2006 9:04 AM      80 bytes      Data MISMATCH between Windows API and raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillin\14\ScanInfo\LastScanFile      4/15/2006 9:04 AM      46 bytes      Windows API length not consistent with raw hive data.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\rsrh69r3.default\Cache\0ECA619Ad01      4/15/2006 9:07 AM      18.28 KB      Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\rsrh69r3.default\Cache\5D859893d01      4/15/2006 9:19 AM      65.37 KB      Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\rsrh69r3.default\Cache\76CDE01Bd01      4/15/2006 9:19 AM      32.26 KB      Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\rsrh69r3.default\Cache\7EB53FF9d01      4/15/2006 9:06 AM      65.34 KB      Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\rsrh69r3.default\Cache\B0E78B8Ed01      4/15/2006 9:07 AM      36.24 KB      Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\rsrh69r3.default\Cache\FF09FDFDd01      4/15/2006 9:20 AM      18.07 KB      Hidden from Windows API.


ANYTHING to be concerned about?  Should I use other rootkit scanners?  I'm seriously reconsidering reinstalling XP.  I'm certain I didn't DOWNLOAD anything malicious... fairly certain at least, but had problems with my firewall a few months back and didn't realize ports were out in the open.I also have results under rkdetector that I don't understand:No idea, personally - this is a relatively new field of development.  (Aside: I wish we COULD just have one malware detector for everything - that actually worked - rather than virus checker, dedicated trojan checkers, rootkit detectors (subset of trojans), spyware checkers, browser hijack detectors, ad infinitum.)  It would make sense to TAKE this query over to Sysinternals' forum where you're more likely to find lots of people who have already played with this.


Discussion

No Comment Found

Related InterviewSolutions