Tech Support Guy banner
Status
Not open for further replies.
1 - 1 of 1 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
I run 2 computers in an XP network on one mouse/keyboard/monitor through a KVM. Both are connected to DSL through a router. Lately, my # 2 refused to start windowsbit defender. A AVG-free check showed "no threats" but changes in kernel32.dll. and shell32.dll. Besides it froze after having been for a while I was working on #1, only to be restarted after a hard reset. Afraid of having contracted a rootkit infection, I ran a RootkitRevealer scan , which showed a lot of discrepancies. In the sysinternals forum (which is too technical for me), one poster who had a discrepacy shown by has scan was asked if his mouse was acting up. Actually, mine does: sometimes, it just runs to the side of the screen and I have to drag it back. Just now I discover, that my #1 computer got hte seem problem: changes in kernel32,dll, shell32.dll(2x) and ntos32.dll.
Here are the results of the rootkit scan of my # 2 computer: for #1 I havent got one yet, since I'm in the middle of a hurry job.

HKLM\SECURITY\Policy\Secrets\SAC* 01/01/2005 1.36 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 01/01/2005 1.36 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Atelier Web\AWRC*** 08/09/2006 14.59 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 17/10/2006 9.49 0 bytes Key name contains embedded nulls (*)
C:\System Volume Information\catalog.wci\00010005.ci 03/01/2007 9.01 60.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010005.dir 03/01/2007 9.01 704 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010006.ci 03/01/2007 9.02 20.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010006.dir 03/01/2007 9.02 412 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.ci 03/01/2007 9.03 432.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.dir 03/01/2007 9.03 4.62 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.ci 03/01/2007 9.04 52.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.dir 03/01/2007 9.04 586 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000A.ci 03/01/2007 9.05 24.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000A.dir 03/01/2007 9.05 449 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000B.ci 03/01/2007 9.06 20.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000B.dir 03/01/2007 9.06 410 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000D.ci 03/01/2007 9.06 132.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000D.dir 03/01/2007 9.06 1.14 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000E.ci 03/01/2007 9.06 52.00 KB Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\0001000E.dir 03/01/2007 9.06 612 bytes Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\0001000F.ci 03/01/2007 9.06 24.00 KB Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\0001000F.dir 03/01/2007 9.06 429 bytes Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\00010012.ci 03/01/2007 9.06 828.00 KB Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\00010012.dir 03/01/2007 9.06 5.10 KB Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\CiFLfffc.000 03/01/2007 9.02 240 bytes Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\CiFLfffc.001 03/01/2007 9.02 512.00 KB Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\CiFLfffc.002 03/01/2007 9.02 512.00 KB Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\CiFLfffd.000 03/01/2007 9.06 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.001 03/01/2007 9.06 512.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.002 03/01/2007 9.06 512.00 KB Hidden from Windows API.

Anybody who knows where to look or what to do?
Thanks in advance!

p.s. what struck me as odd is that most entries are from 17/10/2006 and 03/01/2007
 
1 - 1 of 1 Posts
Status
Not open for further replies.
Top