help with ROOTKIT REVEALER

Hi..Ran the Rootkit revealer as recommended by CHAS the man...it came up with something i dont understand and on the free download there doesnt seem to be any help. The log says..

HKLM\SOFTWARE\data mismatch between windows api and raw hive data.

Durrrrr !!! is this anything to bother about.

By the way, i think i need to get a much cooler name.

 

It's definitely something you want to look at.

Could you please attach the log from Rootkit Reaveler. I'll take a look at it.

 

Cheers Dude...i ran it again and this time it came up with two discrepancies...here they are...

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5561FD0B96405414DA5DDD4B2111C87F\Usage\Complete 19/05/2006 08:20 4 bytes Data mismatch between Windows API and raw hive data.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 19/05/2006 08:17 64.00 KB Visible in Windows API, but not in MFT or directory index.


By the way, the only way i managed to find the log was to click ' save' whilst in the rootkit results field and it brought up the location my log was saved in, namely windows syst 32 folder.This is located in the document list in a yellow WINDOWS folder directly below LOCAL DISC (C) and
directly above CD drive (D).....but...

when i try to find the yellow WINDOWS folder and SYSTEM 32 without going through rootkit revealer it does not appear in my document list.

Is this normal ???

thanks Tony

 

Its Tony again...just discovered the options in rootkit revealer to uncheck..

'hide standard NTFS Metadata files' and...
'scan registry'

I unchecked tham and it brought up 17 entries as follows....dont know if this is of any use in sorting the problem ???

C:\$AttrDef 12/08/2004 19:53 2.50 KB Hidden from Windows API.
C:\$BadClus 12/08/2004 19:53 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 12/08/2004 19:53 114.49 GB Hidden from Windows API.
C:\$Bitmap 12/08/2004 19:53 3.58 MB Hidden from Windows API.
C:\$Boot 12/08/2004 19:53 8.00 KB Hidden from Windows API.
C:\$Extend 12/08/2004 19:53 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 12/08/2004 19:53 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 12/08/2004 19:53 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 12/08/2004 19:53 0 bytes Hidden from Windows API.
C:\$Extend\$UsnJrnl 08/09/2004 22:18 0 bytes Hidden from Windows API.
C:\$Extend\$UsnJrnl:$Max 08/09/2004 22:18 32 bytes Hidden from Windows API.
C:\$LogFile 12/08/2004 19:53 64.00 MB Hidden from Windows API.
C:\$MFT 12/08/2004 19:53 67.23 MB Hidden from Windows API.
C:\$MFTMirr 12/08/2004 19:53 4.00 KB Hidden from Windows API.
C:\$Secure 12/08/2004 19:53 0 bytes Hidden from Windows API.
C:\$UpCase 12/08/2004 19:53 128.00 KB Hidden from Windows API.
C:\$Volume 12/08/2004 19:53 0 bytes Hidden from Windows API.

 

There is nothing there to be concerned about.

Windows/System32 isn't in My Documents. It's a directory under Local Disk C:

 

thanks a bunch.

 

You're welcome.