here is a root kit revelear log, please help a disturbed soul. i could'nt understand this log to save my life. has my integroti(as eric cartman would say)been compromised? HKU\S-1-5-21-329068152-1214440339-839522115-500\Software\Zepter Software\RegLib*8427c988 4/23/2006 10:18 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAC* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*) C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\2417[1].jpg 1/5/2007 12:39 AM 1.65 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\2[9].jpg 1/5/2007 12:42 AM 3.36 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\43[1].js 1/5/2007 12:37 AM 3.35 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\5[1].htm 1/5/2007 12:41 AM 29.95 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\8638[1].htm 1/5/2007 12:45 AM 17.50 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\9537[1].jpg 1/5/2007 12:40 AM 2.85 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\adjs[1].php 1/5/2007 12:44 AM 938 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\adjs[2].php 1/5/2007 12:45 AM 938 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[1].htm 1/5/2007 12:37 AM 3.70 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[2].htm 1/5/2007 12:39 AM 7.45 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\ads[3].htm 1/5/2007 12:45 AM 7.62 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\afterdawn[1].htm 1/5/2007 12:37 AM 59.05 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\all_profiles[1].htm 1/5/2007 12:38 AM 27.68 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\forums.afterdawn[1].htm 1/4/2007 8:12 PM 87.09 KB Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\link_arrow_1[1].gif 1/5/2007 12:37 AM 107 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\49K1YS37\player2[1].swf 1/5/2007 12:42 AM 23.10 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2418[1].jpg 1/5/2007 12:39 AM 1.54 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\25[1].js 1/5/2007 12:37 AM 150 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2CALYC603.jpg 1/5/2007 12:42 AM 3.36 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\2CAQM4CCK.jpg 1/5/2007 12:42 AM 4.09 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\43[1].js 1/4/2007 8:12 PM 3.38 KB Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\6[1].htm 1/5/2007 12:41 AM 19.63 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\8629[1].htm 1/5/2007 12:45 AM 19.42 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ad_quicklists_728x90[1].gif 1/5/2007 12:42 AM 12.91 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\adjs[1].php 1/5/2007 12:37 AM 1.02 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ads[5].htm 1/5/2007 12:37 AM 9.66 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\ads[6].htm 1/5/2007 12:39 AM 3.84 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\favicon[2].ico 1/5/2007 12:37 AM 318 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\KLOS[1].jpg 1/5/2007 12:45 AM 130.95 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\my_tab_selected[1].gif 1/5/2007 12:39 AM 2.24 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FIE8ARYJ\P1010162w[1].jpg 1/5/2007 12:45 AM 130.45 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\0000008707_000000000000000385479[1].swf 1/5/2007 12:36 AM 26.47 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\2CACARZKK.jpg 1/5/2007 12:42 AM 2.51 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\2CAZMDFEI.jpg 1/5/2007 12:42 AM 2.56 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\7106[1].jpg 1/5/2007 12:40 AM 2.83 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\7150[1].jpg 1/5/2007 12:39 AM 2.54 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8400[1].jpg 1/5/2007 12:37 AM 2.89 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8692[1].jpg 1/5/2007 12:44 AM 2.68 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\8773[1].jpg 1/5/2007 12:44 AM 1.72 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\activate_object[1].js 1/5/2007 12:37 AM 126 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\adjs[1].php 1/5/2007 12:39 AM 938 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\ads[1].htm 1/5/2007 12:40 AM 9.65 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\ads[2].htm 1/5/2007 12:44 AM 9.76 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\glow-art1[1].jpg 1/5/2007 12:45 AM 72.50 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\glow-art2[1].jpg 1/5/2007 12:45 AM 98.50 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\n[1].htm 1/5/2007 12:40 AM 27.00 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHB6V2B7\star_create[1].gif 1/5/2007 12:37 AM 16.04 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2216[1].jpg 1/5/2007 12:37 AM 3.72 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2437[1].jpg 1/5/2007 12:39 AM 1.71 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\25[1].js 1/4/2007 8:12 PM 150 bytes Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\2[10].jpg 1/5/2007 12:42 AM 4.95 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\40[1].js 1/5/2007 12:37 AM 754 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\6899[1].jpg 1/5/2007 12:40 AM 4.14 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\7149[1].jpg 1/5/2007 12:39 AM 2.47 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\8629[1].jpg 1/5/2007 12:44 AM 2.81 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\adjs[1].php 1/5/2007 12:40 AM 938 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\dsstrlght[1].htm 1/5/2007 12:44 AM 24.98 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\forums.afterdawn[1].htm 1/5/2007 12:37 AM 86.99 KB Visible in directory index, but not Windows API or MFT. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\P1010071w[1].jpg 1/5/2007 12:45 AM 61.21 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\P1010172w[1].jpg 1/5/2007 12:45 AM 63.24 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\title_topimages[1].gif 1/5/2007 12:37 AM 1.99 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PY7Q06PB\video_bar_yts1157352107[1].js 1/5/2007 12:42 AM 10.06 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2419[1].jpg 1/5/2007 12:39 AM 3.38 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2420[1].jpg 1/5/2007 12:39 AM 3.45 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2[10].jpg 1/5/2007 12:42 AM 3.69 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\2[11].jpg 1/5/2007 12:42 AM 2.64 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\4239[1].jpg 1/5/2007 12:37 AM 2.99 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\7148[1].jpg 1/5/2007 12:39 AM 2.47 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\adjs[1].php 1/5/2007 12:37 AM 1014 bytes Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\d[1].htm 1/5/2007 12:41 AM 28.26 KB Hidden from Windows API. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH11XRA3\Happy-new-year[1].jpg 1/5/2007 12: wow thats alot of info. thanks in advance any help is very much appreciated.
Just a quick observation. When doing these tests the first thing everybody needs to do is clean out their temp files and cookie folders. (something they should be doing everyday and shut off all not necessary known programs)Makes life so much easyier. If it's a root kit it won't delete. No shot intended, fact is with your post I ran a RKR to to check my system and it came up with the same 7 imbeded nulls from 2004 and the mystry hidden empty file from the api on my desk top that has been there for ever and can only be seen if you turn on view all hidden files. Your RKR looks ok to me but the big guns have to give it their blessing. To me in your case all but 3 are in temp folders. Empty them and run again to be sure. Don't touch the system while RKR runs. Good luck Bk ps: don't feel bad, RKR logs can be tough to read
bkf, thanks 4 the heads up. i did'nt know that, but know that i see all those temp files(and the coreponding dates) it should have dawned on me. anyway, i'll give my machine a quick flush and post back. in the future(when i try to read these logs) is there a certain file size that might might set off a "red flag",(in other words...is there a min. file size i can ignore?).i see they are all very small.
ok, now this is a bit more readable see what u think. HKU\S-1-5-21-329068152-1214440339-839522115-500\Software\Zepter Software\RegLib*8427c988 4/23/2006 10:18 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAC* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 12/28/2004 3:12 AM 0 bytes Key name contains embedded nulls (*) C:\Documents and Settings\Administrator\Local Settings\Temp\rtdrvmon.exe 1/5/2007 9:51 PM 40.00 KB Hidden from Windows API. know of any links for a RKR guide
Ill search up your 4 log items. 2 are ok. I bet the other two are also ok but I want to make sure. The instruction manual should come with the .zip file. (if ya can read it LOL) It's worse then the logs. I would not limit RKR in any way. Some stuff can be quite small. A good thing I learned here at AD is to not touch the system as it scans. RKR seems to pick up on that and adds entries. Bunch of good people here! One thing troubles me "C:\Documents and Settings\Administrator\Local Settings\Temp" Are you running off you administrator account? That is not a good thing. Those temp files should be going to a user account you make. That account has the same rights as the admin account. All my temp stuff goes to C:\Documents and settings\my user name\Local Settings\Temp There is also a temp folder in C:/windows not to far under the prefetch folder.
thanks again for the help and the heads-up re:temp folder(long story), meant to change that. i'll do it now before i forget again. have a good one
Some day you can tell me that story, sounds interesting As far as I can tell your RKR is clean, actually better then mine but I know my entries are harmless.