Hi, :o

I just downloaded & ran Rootkit Revealer & it immediately detected HKLM\SOFTWARE\Classes\webcal\URL Protocol.

When the scan was complete it showed 7 discrepansies .... 6 of them in C\System Volume Information.

What I find strange is that the timestamp ( for the HKLM\SOFTWARE\Classes .... etc ) is indicated at August 31, 2004 & since this is a new PC .... I never accessed the internet before September 22, 2004. The C\System Volume Information timestamps indicate 02/06/2005 which would be today's date. ???

It also states on the HKLM\SOFTWARE line that there is a data mismatch between Windows API and raw hive data.

I am a new PC User so I hope I'm providing useful info on this & I do realize it is quite late .... early morning .... as well. However, I'm quite concerned about this & wanted to make this post anyway.

Thoughts or Advice Anyone ??

HR 8)

I just installed the 30 day trial of UnHack Me & it does not detect anything, ???

It does not have a scanner as with Rootkit Revealer .... but when I select " Check Me Now ! " it informs me that NO trojans are found. I also have the background monitor enabled.

Which program should I believe ? :-\

Could Rootkit Revealer's detection be a False Positive or is it in fact flagging malware UnHack Me might have missed ? How would I know either way at this point in time ? :(

HR 8)

Hi HD,

Some other experts will be along shortly and will probably want to look at a screenshot. But first:

1) My guess is that there is no rootkit.
2) Did you run and AV scan? If so, which product?
3) Was anything else running (started up) while you were doing the Rootkit Revealer scan?
4) I would trust the UnHackMe results for now. It is always difficult to interpret the RR results.

Rich

Hi again Rich, :D

I'll run my BitDefender on demand scanner when I log off here .... especially since I know what you think of Norton. (lol)

I went into regedit & have the location in question open on my PC & minimized. However I've no idea what to do .... if anything from here.

Thanks for responding & I have to get going right now .... but I can assure you I'll be back here as soon as I can.

I sort of thought it could have been a F/P as well .... or at least I'm hoping that is the case. ???

Take it easy guy !!
Hard Rocker 8)

Hi HD,

I wouldn't worry for now. The results of RR are very difficult to interpret, so just try to get a screen shot so others can look over what is happening.

Cya around,
Rich

You might want to try a scan with F-Secure's beta RK detection program called Blacklight.

It's at http://www.f-secure.com/blacklight/cure.shtml

:) Thanks for the info & the link ..... I will check it out now.

HR 8)

Hi, :D

Just finished scanning with BlackLight Beta .... Total of 59 processes .... & NO Hidden Items Found !!

So it's 2 out of 3 .... on the positive side. ;D

HR 8)

Hard Rocker, I hope you don't but your thread will be an education for me and others (mismatch). I ran all the same tests and came up negative - except I have a hive dump problem with RootkitRevealer.

Thanks for posting.

-{ Quote: "Hi HD,

Some other experts will be along shortly and will probably want to look at a screenshot. But first:

1) My guess is that there is no rootkit.
2) Did you run and AV scan? If so, which product?
3) Was anything else running (started up) while you were doing the Rootkit Revealer scan?
4) I would trust the UnHackMe results for now. It is always difficult to interpret the RR results.

Rich" }-
I can appreciate your post richrf.

Nice post. Over at another board they will marvel at how you got infected with all your security apps (without even knowing for sure) - after posting your personal list of apps and linking to it (making it public at a board you are not a member of). When you get angry over it, they will say your attitude sucks and then won't help you.

Hi guys,

Its for situations like this that I think it is nice to have products like ProcessGuard in place that prevent the installation of rookits. All indications are that you do not have it, and ProcessGuard is kind of like your final insurance policy.

Personally, I think that Rootkit Revealer is showing some issues exist somewhere on your system, but probably nothing that has to do with rookits or any other malware.

Rich

Hi,

Rootkit Revealer is an interesting utility, but a waste of time if we can't read and understand the results.

All rootkits are not detected by AVs: it depends on which one we have.

The common Windows rootkits are detected by UnHackMe (HxDef, Vanquish, AFXRootkit2005...).

For an easy detection, it's better to take a look to hidden process and service:

With KprocCheck: http://www.security.org.sg/code/kproccheck.html

Or with Frisk: http://sourceforge.net/projects/frisk

Just unzip the file and double click on the frisk.bat file.
Give an "allow once" permission for the files on the firewall.

When the check up is finished, choose the hard drive "c", and answer "yes" to the question "are you sure...".

Then take a look at the html report which is located in "C" (it's named with the date and the OEM-number).
And just double-click on the "Detect Rootkits" reports (see the image).

Regards

sorry Hardrocker I just realized it may appear I'm taking over your thread. I don't mean to but it would be pointless to start another one. Please continue.


Thanks kareldjag!. I like the name "Frisk" very appropriate.
nice!

-{ Quote: " . .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright (c) 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 332 services )
-Gathering process List Information... ( Found: 57 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )" }-

oh oh! "SUSPICIOUS MODULE" - perhaps why OE and scannow will not start in my computer

-{ Quote: " *SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..Unable to load tcp.dll
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)" }-

All I can say at this point is ..... aside from Rich & another member no one has really helped me with my original question.

I am however downloading Frisk as I'm typing this post & maybe that will shed more light on my problem.

I realize threads DO sometimes get off topic ..... or whatever, but isn't there a moderator for this forum that's supposed to move certain topics to a new thread or something when this happens. I'm kind of new to Wilders so I don't know all of the guidelines ..... so to speak. As well, I believe that this is the first time I've started a thread in this location so I don't really know what happens here either.

Take it easy guys !!

HR

As far as I know it's on topic (rootkit detection). While you wait for an expert to come and read your post, since none of use know too much about reading the results, kareldjag was kind enough to show us some alternatives - all applicable to the topic at hand. I am currently experiencing the exact same issue topic as I have run rootkitrevealer just yesterday and not having good results. That is why I find your topic exactly the topic I am experiencing. If you like, we can have two identical topics if you feel I'm intruding.

If someone runs a search for rootkits and detection. I believe he's supposed to enter the most current thread instead of starting his own. I'm guilty of starting two others but different topics. This one offered new alternatives so I'm here. I can't see me going back to my thread requesting alternatives and kareldjag posting again what he posted here.

I am posting results for your benefit as well. Hoping we arrive at a good conclusion. If I come to some realization and can help you. You can bet I would be glad to give you a hand.

I don't know too much about this security stuff, but one thing I know quite a bit of is in my sig. In fact that's one area I'm an expert in (sort of)

Ok lynchknot, ;)

Now that I ran Frisk I see where you are coming from. I did not understand all the technical data in your post & thought you had a different problem.

It seems that we are both dealing with the same sort of issue I would think. Also I did not know that you also had an ongoing seperate thread.

It took me a little while .... but I finally figured out how to get Frisk running & when I checked the html report it shows me the same results as you obtained with the suspicious modules & the 0 running rootkits. ???

Since I do not know how to post screenshots .... that is the best I can do for now & thanks would be in order to kareldjag for his input & instructions about Frisk.

Also, if you are referring to scannow (check of windows files) .... mine runs fine & I seem to have the same Frisk results as you. I should mention I'm a fairly new PC User so all of this is really quite " heavy duty " for me at this point in time. :-\

HR 8)

Well that's, sort of, a relief to me (having same output) because I was worried about the suspicious modules. One other problem I'm having, besides sfc \scannow not opening, is Outlook Express refuses to open as well (outlook opens though but I don't use it)

HR, you can use the "print screen" button and paste into "paint" or any graphics editor you may have - then crop it - save as *"jpg" and host it here: http://www.imageshack.us/

*mine won't let me save a cropped image as jpg only bmp so I have to copy then push "new" and paste again and save as jpg.

Or you can get an app called "snagit (http://www.techsmith.com/products/snagit/default.asp)" which is what I use and it's great. If you want more help in this area I'd be glad to help via PM's.

Hi, :)

My Outlook Express opens fine .... in fact I had that Microsoft welcome message sitting there .... since way back when. ???

Today was the first time I ever opened the program since I bought this PC from DELL back in October.

I bookmarked " snagit " for now & thanks for your help offer. I guess the trial period is for 30 days .... or whatever, so I won't download it until I really need to use it. I'm not too enthusiastic about paying $39.99 for a program that won't get used very often.

So what's next ? I guess we will have to keep waiting & hope someone will be able to shed some light on the rootkit detection situation !! :-\

Also, in my html report : under, searching for wrong Service Paths it shows .... Found : 3 wrong Services. I don't know what that's about. ???

HR 8)

Hi Guys,

I ran rkdetector on my machine (which I know is clean), and it showed no hidden processes or rootkits, but it did have ProcessGuard as "wrong service path". I don't know what this means, but it is nothing to worry about.

Here is a short thread on rkdetector and also how to use RegdatXp to locate rootkits:

http://www.wilderssecurity.com/archive/index.php/t-33519

I think UnHackMe uses a similar algorithm to identify "cloaked registry entries".

In any case, I don't think you have any rootkit or anything to be concerned about. But you can see, it gives lots of relief to know that ProcessGuard is running and helping to defeat rootkit installation - just for the piece of mind. :)

Cya,
Rich

:D Thanks Rich,

Interesting link ..... very educational !!

Wonder what's going on with lynchknot ..... haven't heard from him in a couple of days.

I've been looking at Process Guard again but I want to make sure if I do download it that I have plenty of time to devote to setting PG up & NOT have any other PC issues to worry about.

HR 8)

Hello Hard Rocker. I had to take a break from the internet. I let life's trials and tribulations erode any patience I had for people on the net, including myself - coupled with my computer problem - just made it worse as the computer takes #1 priority when it's not functioning correctly (being the compter addict I am). I decided I should be the priority and take time for myself. Thanks for asking.

It's good to hear your computer is fine. I hope you like PG. It's a must for me. I feel naked without it.

**edit - scannow is fixed (http://www.mvps.org/marksxp/WindowsXP/SP2/common.php)

Hi Lynchknot, :D

I can certainly understand your frustrations & concerns !!

As a new user ( October 2004 ) and being a guy who's main interests previously were both playing & being into music as my # 1 priority I have found it very hard at times coping with all of the security issues related to PC's. Especially when I hear from different sources about how Mac users do NOT have to deal with all the malware problems that we do. >:(

Hang in there guy ..... we don't have much choice.

All I can say is Wilders has been a huge help to me & as long as I have a PC I will most likely be a member here !!

Take it easy,
HR 8)

That's really not the whole truth. I'll come clean here as well. There's more going on in real life - my mom's mental deterioration (loss of words and mental acuity) coupled with health issues (advanced diabetes, osteoporosis - she fell, walking in the house and broke her wrist in two places) - There's a noticeable change.

Since my dad died (complications of non-hodgkins lymphoma or should I say, the poor choice of medical establishment to kill the body's immune system to kill cancer cells*), I have moved in with her and take care of some of her needs (I'm single at the moment, so it's not an issue - besides I would anyway) otherwise she would be all alone. I'm afraid her time is drawing near.

Everything is overwhelming



*in the 50 or so years of Cancer fund-raising, they still use the same techniques which do not work very well.(cut, chemicals, or radiation) You think by now they would come up with something better and less destructive? No, there's money to be made, while the doctors helped to kill my dad.

PC users get to enjoy much more "ware" than Mac users. Much of it is great.

;) In all sincerity I wish you .... the very best .... and strength .... in a very difficult time.

HR

Thanks HR. :-\

I am new to this forum and found the following. Hope I'm not breaking protocol by posting my experiences in this thread.

-{ Quote: " I just downloaded & ran Rootkit Revealer & it immediately detected HKLM\SOFTWARE\Classes\webcal\URL Protocol.
" }-
This post is most interesting. The same problem occurs in my computer. Rootkit Revealer v1.54 showed the following:

HKLM\SOFTWARE\Classes\webcal\URL Protocol
3/16/2005 2:22 PM
13 bytes
Data mismatch between Windows API and raw hive data.

The date stamp (Mar 16) is at the time when Dell was assembling my computer, so it may be that this issue predates any personal activity on the machine. The Registry key in question is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal]
"URL Protocol"="URL Pr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal\shell]

Before I uninstalled Dell's AOL files, there were two additional entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal\shell\open\command]
@="rundll32.exe C:\\PROGRA~1\\AMERIC~1.0\\WEBCAL~1.DLL,WebCalHandler %1"

However, the same Rootkit Revealer error was reported both before and after the AOL uninstallation.

I'm running Windows XP/SP2, IE 6.0/SP2, McAfee AV, and the usual anti-spyware programs. Forum rules say don't post HJT, so I won't, but it appears to be clean. No suspicious computer activity.

Like Hard Rocker, I'd like to know what's going on here. Is this trickery on Dell's part, a rootkit, a Rootkit Revealer problem, or what?

I'm not 100% sure but I think we are looking for an executable with a date discrepancy coupled with a mismatch between Windows API and raw hive data.

Since my last (and only) post to this thread concerning my similar results with Rootkit Revealer, I have downloaded and run RKDetector. My results are almost identical to those posted earlier; i.e., "suspicious modules" imm32.dll, lpk.dll, and usp10.dll along with a likely-hooked module msvcrt.dll. Namely, the relevant results from my RKDetector are:
____________________________________________________________________

-Searching for wrong Service Paths.... ( Found: 1 wrong Services )
------------------------------------------------------------------------------
*SV: wanatw (WAN Miniport (ATW)) PATH: C:\WINDOWS\system32\drivers\wanatw4.sys
------------------------------------------------------------------------------
-Searching for Rootkit Modules........
------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)
_____________________________________________________________

We may be onto something here, people. Checking the discrepancies, the path C:\WINDOWS\system32\drivers\wanatw4.sys DOES NOT EXIST in my system! 'wanatw4.sys' is in I386 (date stamp is 1-10-2003 and size is 33,588 bytes), but it is not in WINDOWS\SYSTEM32. Description is "Wan Miniport (ATW)"; Version is 8.3.0.0; Copyright is © 2001-2002 America Online, Inc. AOL also had my suspect 'webcal' entry. Files 'imm32.dll', 'lpk.dll', and 'usp10.dll' are all in I386, WINDOWS\SYSTEM32, and in the DLLCACHE as expected. They are valid Microsoft files, and their file sizes correspond with what they should be (apparently), so what makes them 'suspicious' is unknown.

As for c:\windows\system32\msvcrt.dll, the module's properties say "Windows NT CRT DLL", version 7.0.2600.2180, with a size of 343,040 bytes, created and modified on 8-4-2004. Microsoft Article ID 194205 describes a special file of that name that is used by AOL. I am now wondering if AOL might be at the 'root' of all this (pun intended).

Hope I'm not throwing too much data at you.

On one of my machies I found this (see link), what should I think about this, am I rootkitted or not? ;D :o

The image works again, nobody with any feedback? ???

Maybe, just maybe, there may be some answers for Hard Rocker. I had noticed the same Hive/API discrepancy that he did, as quoted:
-{ Quote: "I just downloaded & ran Rootkit Revealer & it immediately detected HKLM\SOFTWARE\Classes\webcal\URL Protocol.
...
What I find strange is that the timestamp ( for the HKLM\SOFTWARE\Classes .... etc ) is indicated at August 31, 2004 & since this is a new PC .... I never accessed the internet before September 22, 2004." }-On my own system, this particular key appears to be the only one that was granted "user" ownership at the time of Dell's installation of the software on March 16 (right-click a key and then click "Permissions" for info). While either this or corrupted data may be the problem, I solved it by changing the HKLM\SOFTWARE\Classes\webcal key's "owner" to Administrator, exporting the key, deleting it from the Registry, then importing the key right back into the Registry. Do not do this in general without knowing just how vulnerable the key might be; some Registry entries get updated continuously. After doing this procedure, Rootkit Revealer gave me a clean bill of health. Be aware that if anything else is running, there may be occasional hive/API mismatches, as Sysinternals will tell you.

As for the other discrepancies, quoting with deletions of dashed lines:
-{ Quote: "
*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
*SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
*SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
-Trying to detect hxdef with TCP data..Unable to load tcp.dll
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)
" }-I had noted the same on my computer, also with no rootkits detected. To double-check, I downloaded F-Secure BlackLight and found nothing when I ran it -- neither in normal mode, nor in expert mode, nor when run immediately after a fresh boot (again in expert mode), nor when run outside of EXPLORER.

To see if any suspicious activity might be taking place at startup, I ran REGMON during the boot process. Modules imm32, lpk, usp10, and msvcrt - and MANY others -- were referenced 44 times for image options. This seemed to occur not only for the various startup routines, but also for others, and apparently is a normal activity. Module usp10.dll had 4 extra refs due to its being an Office module.

Neither imm32.dll nor lpk.dll had any Registry refs, but usp10.dll is shared by Microsoft Works and by Picture It, and msvcrt.dll is shared by many programs. The three modules imm32, lpk, and usp10 seem legitimate on my own machine despite RKDetector's suspicions, and I don't think that msvcrt.dll really is hooked; just many dependencies. Lack of suspicious activity leads me to consider RKDetector's findings to be false positives, though it is clearly a good program (beats false negatives). One discrepancy not shared with lynchknot -- a wrong path for wanatw (WAN Miniport) -- is likely due to an unclean uninstall by AOL (famed for leaving behind a fouled nest).

As for Rasheed 187, you might check the above info as a starter.

-{ Quote: "On one of my machies I found this (see link), what should I think about this, am I rootkitted or not? ;D :o " }-


Sure, looks like someone implanted a rootkit via a zeroday exploit through IE. :)

Sure looks like you were running Sysinternals Process explorer at the time.

Let me guess you replaced your task manager with it?

Either that or something messed up with it.

For guys having weird discreptancies with rootkit revealer, I recommend you do the following

1) Disconnect from the net
2) Turn off all your programs , as well as nonessenital services
3) Run rootkit revealer.

A lot of mismatches appear because 'stuff' is happening at the same time, rootkit revealer is comparing .

This is espically so for security software.

Hi,

I downloaded and ran the latest rootkitrevealer.

I had two discrepancies.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:48 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:50 0 bytes Key name contains embedded nulls (*)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€쀐]
"DisplayName"="װ!װ!
"
"DeviceDesc"="װ!װ!
"
"ProviderName"="ﻔ粐ｄ"
"MFG"="Ԭ"
"ReinstallString"="C:\\WINDOWS\\System32\\ReinstallBackups\\€쀐\\DriverFiles\\.INF"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\sbdrv\smbus\smbusati.inf


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\୵粁·]
"DisplayName"="䟔"
"DeviceDesc"="䟔"
"ProviderName"="娴粐媤"
"MFG"="ᅈ "
"ReinstallString"="6.14.10.6430"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\driver\2kxp_inf\cx_15265.inf

Are these valid entries? Malware?
I read somewhere that some valid keys had embedded nulls.

Note that in both these keys none of the identifiers i.e displayname , manufacter(mfg), description etc have only these odd symbols.

Thanks
Doh!

Thanks for the feedback James Taylor :)

That might be it, and no I haven´t replaced Task Manager but I do use Process Explorer a lot. ;)

I've got a Dell too... and get the same detection...

it's something to do with AOL:
rundll32.exe C:\PROGRA~1\AOL9~1.0\WEBCAL~1.DLL,WebCalHandler %1

but i'm gonna save that part of the registary... then copy the right data into field... lets hope is works

-{ Quote: "Hi,

I downloaded and ran the latest rootkitrevealer.

I had two discrepancies.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:48 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:50 0 bytes Key name contains embedded nulls (*)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€쀐]
"DisplayName"="װ!װ!
"
"DeviceDesc"="װ!װ!
"
"ProviderName"="ﻔ粐ｄ"
"MFG"="Ԭ"
"ReinstallString"="C:\\WINDOWS\\System32\\ReinstallBackups\\€쀐\\DriverFiles\\.INF"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\sbdrv\smbus\smbusati.inf


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\୵粁·]
"DisplayName"="䟔"
"DeviceDesc"="䟔"
"ProviderName"="娴粐媤"
"MFG"="ᅈ "
"ReinstallString"="6.14.10.6430"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\driver\2kxp_inf\cx_15265.inf

Are these valid entries? Malware?
I read somewhere that some valid keys had embedded nulls.

Note that in both these keys none of the identifiers i.e displayname , manufacter(mfg), description etc have only these odd symbols.

Thanks
Doh!" }-
Hi, there is some usefull info on what RR is detecting in regards to the embedded nulls @ this link >

http://www.sysinternals.com/Forum/search.asp?KW=Key+name+contains+embedded+nulls&SM=1&SI=PT&FM=0&OB=1

also another link you should look @ >

http://www.sysinternals.com/Forum/forum_posts.asp?TID=333&%20amp;KW=Reinstall


Hope this helps T

-{ Quote: "I've got a Dell too... and get the same detection...

it's something to do with AOL:
rundll32.exe C:\PROGRA~1\AOL9~1.0\WEBCAL~1.DLL,WebCalHandler %1

but i'm gonna save that part of the registary... then copy the right data into field... lets hope is works" }-

Leccy:

I'm curious about the common thread of Dell computers giving a WEBCAL discrepancy. Do you remember how many bytes mismatched? Did you have any luck rectifying this item?

Crackman

I found the exact same thing after running Rootkit Revealer, then going on to give my registry a few pokes with a big stick. I've never had a Dell, but I have had AOL installed, so I'm guessing it's just something left over from the installation. I've run Blacklight a couple of times, and it reveals nothing. Probably a harmless glitch, but widespread based on what I'm seeing after googling on "webcal\URL protocol."

Hmm...I have a Dell and had AOL installed last month. (I get AOL free now through my ISP Road Runner). I uninstalled AOL after I couldn't get the radio to work. I ran Rootkit Revealer and it found nothing.

I had lost hardwired communications with my router.

I originally did a system restore to a previous date, and it restored communications. Then the communication failures came back, and the system restore didn't help.

I ran the rootkit revealer and it found this string and it found a similar string under HKLM\Software\Microsoft\Windows\CurrentVersion\Reinstall. I ran regedit and deleted it, and my router communications came back.

I get the feeling that this is a symptom of a larger problem.

You may want to look for your DLL here

http://www.castlecops.com/bho-w.html

The WEB cal thing could be a corporate time server or something.


controler

this might help with some fo the ?fp and RR scann results.
Plenty of posts in the forums there:

http://www.sysinternals.com/Forum/forum_posts.asp?TID=2408&PN=1

This is weird. I ran Rootkit Revealer again just now and it found the webcal discrepancy that is being discussed here. When I ran it on Nov 6, it found nothing. I suppose webcal was being updated during the scan this time and that is why it was found. I did not disconnect from the internet either time I ran the scan nor did I run it in safe mode.

What interests me though is that webcal is part of AOL and it would appear even though I ran RegCleaner after uninstalling AOL, I still have AOL stuff in the registry.

Get regseeker and delete all AOL entries