ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Free download - Rootkit analyzer

<< < (2/3) > >>

f0dder:
Quite correct ... the trouble I have with the sysinternals program is that the output seems almost inpenertable if you aren't an expert in the registry.

On my system it reports a couple of files are different, but I have no way of knowing what made them different or if they actually need to be different versions. They could for example have been updated by Microsoft Update since the last SysInternals update.
-CarolHaynes (November 14, 2005, 04:42 PM)
--- End quote ---

Hm, could you post an example of your output? I know a few apps like Daemon-Tools try to hide some of it's registry entries so it won't get detected by games etc., but generally if there's discrepancies it might mean trouble. You could also PM me a RKR log if you don't feel like putting it on the forum...

Carol Haynes:
Here is my output from SysInternals RevealRootKit, I don't think there is any sensitive data on display here (if there is let me know and I will edit the message to remove it!):


--- ---HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{0A2C6EC6-E1BC-9BF5-B3F7D282645EFB0F}\{C08E0694-C5E1-48EE-3ACF6A24AC2BF796}\{A9549B8D-B7EF-15E1-4BD44DC35FFCD192}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{11B5C8DC-3FEA-1682-D4F0355518481497}\{414E0745-768E-27E6-1A22BEEA50FFC306}\{0F77990A-A8C5-E83C-A2DEB9098A2A23DE}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{3749AA95-0B95-97D6-573EA782D1087389}\{140D5DD1-4454-9D01-1A62C863EE2D72CA}\{AFBD57C5-0E25-C0E9-BB318052A3DC6730}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{41499515-FE1F-2B25-9CCAFA7C1BD1CD4F}\{E760D6E7-B184-EBBF-DA510F4FC9719600}\{4E25D3C0-199C-C2DC-33A6CFCC543E6F29}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{6041C420-22B4-140A-3B055037524C6B59}\{9A77D18C-4DFD-83C2-41C1A5F44022B903}\{B579578C-D2DD-BD46-01C9D6D000184189}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{60778762-8BE2-5BE8-74B1F534DECE7DD7}\{033814D8-F5F0-69C3-B63A6822FA3F97AC}\{BB1878CD-9C66-F7AC-793F8981AF2E0354}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{61A3D62A-E669-8B2B-95B7C505631D6590}\{1D71893B-0DD3-8FF9-31AA9E7B284EB027}\{CF9E2073-5E5A-1B13-96346A906352FBBE}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{8FD8A5D7-9511-025F-16B31A5B051F5A4D}\{7F4BC209-0230-7A50-936F3704F4AD01D8}\{4F172B6C-B722-D8DB-046FD06C67D2EAC6}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{A211FD50-104A-552A-E783321B77B5C9DA}\{4E700FFC-D5B6-D24A-08D9C51A05E3FA14}\{72F82311-8741-4D82-9043D22F7FAD5282}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{BE08C2D3-409A-BA9A-CCC3BF5A93C4C5B2}\{31E0C4F5-10D2-2559-BD8FA6F8E4FD42BD}\{0C75E684-EF64-45D0-854DEF6D927DBB7D}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{C925DBC2-2F83-42AD-B0CBB854A5BF695B}\{7C26F213-28FC-ED62-CBDE7EE0F1CEF59B}\{619A38BB-0D53-1157-F7C7CBB2EE20607F}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{CD33F05B-57D8-EB8D-1C637C8E18479BDE}\{4B66B287-DF55-8BF6-0C7A245C073DF874}\{2B094E66-D192-13E4-CB3BD0799FCAC2FC}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{D891502B-DC36-B293-121D9D2985957827}\{239EA7E9-C7D1-EF13-CC952A60F4AD7A0B}\{9E7939D5-CFE3-7B10-257B198232E2E5B7}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        15/11/2005 01:26
   Size:        4 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\UDC\EventMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\UDC\CategoryMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\UDC\EventMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\UDC\CategoryMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
C:\$AttrDef:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        2.50 KB
C:\$BadClus:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes
C:\$BadClus:$Bad:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        45.00 GB
C:\$Bitmap:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        1.41 MB
C:\$Boot:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        8.00 KB
C:\$Extend:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes
C:\$Extend\$ObjId:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:01
   Size:        0 bytes
C:\$Extend\$Quota:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:01
   Size:        0 bytes
C:\$Extend\$Reparse:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:01
   Size:        0 bytes
C:\$Extend\$UsnJrnl:
   Description: Hidden from Windows API.
   Date:        23/03/2005 09:48
   Size:        0 bytes
C:\$Extend\$UsnJrnl:$Max:
   Description: Hidden from Windows API.
   Date:        23/03/2005 09:48
   Size:        32 bytes
C:\$LogFile:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        64.00 MB
C:\$MFT:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        244.16 MB
C:\$MFTMirr:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        4.00 KB
C:\$Secure:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes
C:\$UpCase:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        128.00 KB
C:\$Volume:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes

f0dder:
Seems like you either have an old version of RKR, or have "hide standard NTFS metadata files" unchecked (that's why it shows files like $Volume etc - these are part of how NTFS manages the disk and can be safely ignored). The "Key name contains embedded nulls" seems a bit weird, but since those nulls are only located at the end of the names, this seems like a typical off-by-one error in somebody's registry handling code rather than malicious purpose.

The line related to Prefetcher\TracesProcessed doesn't seem dangerous either, the prefetcher runs all the time (unless you have disabled it :)), and has probably done some work between the time where RKR uses the windows API to get the reg value, and the time where it manually parses the registry hive file.

Dunno about the UDC\* lines, but they seem harmless enough considering their location.

I'm a bit curious which components or whatever those null-char-embdeed CLSIDs are referring to, even if they probably aren't malicious or anything :)

Carol Haynes:
I'm a bit curious which components or whatever those null-char-embdeed CLSIDs are referring to, even if they probably aren't malicious or anything
--- End quote ---

Yes - trouble is how do you find out? If I use a registry editor they don't seem to show up (presumably there is an end of string marker at the end of the visible section)

f0dder:
Hm, is it just the "end" part (ie, the bold part of HKLM\SOFTWARE\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}*) that doesn't show up, or is it the whole "folder"?

If it's just the end part, you could try using regedit to export, for example, HKLM\SOFTWARE\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C} + subkeys to a .reg file and put it here, perhaps key/value data in there has something to tell (especially keys like InProcServer32, since they point to executable code).

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version