Please help.

Discussion in 'malware problems & news' started by Meed, Apr 8, 2007.

Thread Status:
Not open for further replies.
  1. Meed

    Meed Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    16
    Hey, A friend gave me this niffty program called RootkitReveler the other day, and i used it to scan my system, this is what it came up with:

    HKLM\S-1-5-21-2165517387-2781504589-1887795725-1006\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger 09/04/2007 13:45 3 bytes Data mismatch between Windows API and raw hive data.

    HKLM\S-1-5-21-2165517387-2781504589-1887795725-1006\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 09/04/2007 13:07 0 bytes Key name contains embedded nulls (*)

    HKLM\SOFTWARE\Classes\CLSID\{2216D9DB-920A-B7BB-D8AF-09633D5A378D}\InProcServer32* 16/03/2007 09:34 0 bytes Key name contains embedded nulls (*)

    HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 09/04/2007 13:56 4 bytes Data mismatch between Windows API and raw hive data.

    HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 09/04/2007 13:56 4 bytes Data mismatch between Windows API and raw hive data.

    I told him about the results, and he said that the SecuROM & InProcServer32* findings could be bad, and told me to ask here, since the main forums for RR are locked at the moment. Dose anyone know what these two entry are ? I did a google search on both of them, and i got some good hits on other forums about them, unfortunately the forums were in another language (might have been Russian/Korean)

    Thx, Meed.

    ps - sorry if this is the incorrect forum for this issue, but "malware probs & news" was the only one that seemed the most relevant.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    First, do not use tools you do not understand.
    Second, there's a fair bit of explanantion on sysinternal forums explaining various entries found in the RKR logs.
    Third, a single scan by a single tool is never an indication to anything.
    Mrk
     
Loading...
Thread Status:
Not open for further replies.