Pages

Wednesday, December 4, 2013

Does my laptop Windows XP have rootkit installed?

I did run RootKitRevealer from http://technet.microsoft.com/en-in/sysinternals/bb545027.aspx and it bring back following data. I don’t have time to understand it for now, Can someone shed some light to it?

HKU\S-1-5-21-1645522239-1592454029-1801674531-1003\Software\ThinPrint\Lang    3/8/2012 1:22 AM    3 bytes    Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1645522239-1592454029-1801674531-1004\Software\ThinPrint\Lang 4/6/2012 2:08 PM 3 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 5/5/2010 12:34 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 5/5/2010 12:34 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\.wid\bin 11/10/2013 1:30 PM 176 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\ 1/11/2012 9:37 PM 19 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\ANJANI BHUSHAN\Local Settings\Application Data\Box Sync\Logs\BoxSyncLog__3.4.25.0_11_10_2013.log 11/10/2013 2:17 PM 56 bytes Hidden from Windows API.
C:\Documents and Settings\ANJANI BHUSHAN\Local Settings\Temporary Internet Files\Content.IE5\NDN956ZP\views[1] 11/10/2013 2:17 PM 5.46 KB Hidden from Windows API.
C:\Documents and Settings\arjun\Local Settings\Application Data\Google\Google Desktop\e63d4d8f0508\filequeue.dat 9/28/2013 7:49 PM 22.44 KB Hidden from Windows API.
C:\Documents and Settings\arjun\Local Settings\Temporary Internet Files\Content.IE5\5EJZRIKK\views[1] 11/10/2013 2:17 PM 5.46 KB Hidden from Windows API.
C:\Documents and Settings\arjun\Recent\chrome-downloads.lnk 11/6/2013 12:31 PM 385 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\arjun\Recent\email-address-of-media.txt (2).lnk 11/5/2013 11:58 AM 508 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\arjun\Recent\June-28-Anjan-writes-about-vultures.pdf.lnk 9/26/2013 12:16 PM 549 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\arjun\Recent\part200.rtf (2).lnk 9/25/2013 8:00 PM 767 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\arjun\Recent\readme.txt.lnk 11/10/2013 2:14 PM 614 bytes Hidden from Windows API.
C:\Documents and Settings\arjun\Recent\RootkitRevealer.chm.lnk 11/10/2013 2:10 PM 643 bytes Hidden from Windows API.
C:\Documents and Settings\arjun\Recent\SysinternalsSuite.lnk 11/10/2013 2:14 PM 465 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B9B2B540-34D8-4370-B6B5-3DE1159FBF3F}\RP977\A0189557.lnk 9/25/2013 8:00 PM 767 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B9B2B540-34D8-4370-B6B5-3DE1159FBF3F}\RP977\A0189558.lnk 9/26/2013 12:16 PM 549 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B9B2B540-34D8-4370-B6B5-3DE1159FBF3F}\RP977\A0189559.lnk 11/6/2013 12:31 PM 385 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B9B2B540-34D8-4370-B6B5-3DE1159FBF3F}\RP977\A0189560.lnk 11/10/2013 2:14 PM 508 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\MMC.EXE-398DCF39.pf 11/10/2013 2:17 PM 76.08 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\REGDELNULL.EXE-301C6017.pf 11/10/2013 2:14 PM 16.79 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf 11/10/2013 2:15 PM 18.25 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-155CD7BB.pf 11/10/2013 2:19 PM 19.88 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-47122EC4.pf 11/10/2013 2:19 PM 31.41 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf 11/10/2013 2:21 PM 21.67 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 11/10/2013 2:19 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.