Rootkit revealer notices differences, please advice

By kees1958
Sep 27, 2006
  1. Please advice

    Every month I run rootkitrevealer. Since the last run I get the following message:

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Prefetcher\TracesProcessed 27-9-2006 19:02 4 bytes Data mismatch between Windows API and raw hive data.

    I runned a scan with Hijackthis (attached). It showes a few strange items:
    1. First the service CHServise.exe file is missing, but this file exists in the CyberHawk directory and is listed as a running process
    2. There seems to be a toolbar with no name, but Browser Hijack Retaliator only shows the two others (Adobe PDF Reader and SSVHelper).

    I am running Antivr, CybeHawk and DefenseWall. Virusscan does not show any mal-ware (neither does ad-aware). The webbrowser I use is IE7 (because download site mentioned in the active X components only can handle IE). As passive defensive I also use SPywareBlaster. Every week I run an ad-aware scan (until now it has not find anything harmful).

    Should I worry?
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

    O16 - DPF: {A0983711-D8FD-11D0-B8E1-00A024B10B98} (XCavatorCtl Control) -

    O16 - DPF: {D4D4A885-14CD-4B24-ABA8-4130CDA59691} (DownloadManager.DownloadInterface) -

    Click on the fix checked button.

    Close HJT.

    Other than the above, your HJT log is clean.

    The missing file entries in HJT are a small bug in HJT and are nothing to worry about.

    As for your suspected rootkit problem, which may be nothing or something.

    Go HERE and download the Sysclean package. Make sure to read and follow the instructions carefully.

    Let me know the results please.

    Regards Howard :wave: :wave:

    This thread is for the use of kees1958 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. kees1958

    kees1958 TS Rookie Topic Starter


    I have removed the unknown toolbar.

    Axcavator is an active X-remover (is ok)

    Download manager is of a music download pay site (also ok)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...