ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Free download - Rootkit analyzer

<< < (3/3)

Carol Haynes:
OK. I took the first entry in the output abouv and exported the whole key:


Here is the log entry:


--- ---HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes

and here is the exported key HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}:



--- ---REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}]
It is somewhat odd that the last leaf "{03821BF4-A5A3-BF72-1BF7DBE36D239A74}" doesn't appear in the exported RegFile at all!! Although it does appear in the registry editor. I have checked the permissions set on the key and they seem to be set to allow everyone on the system full control. It does however appear in red (in Resplendent Registry Manager) which means:

Why some registry keys in my registry appear in red ?
These are system critical keys which are normally only accessible from the System account.
--- End quote ---

Even more oddly the 'last leaf' appears twice (!!!) in Windows RegEdit ???? (see second graphic) and exports as:


--- ---Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}]

Just to check further I did a hex dump of the exported files (see graphics - sdump from Registrar RM, sdump3 from RegEdit).

The values following {03821BF4-A5A3-BF72-1BF7DBE36D239A74} seem to be ] and alternation OA OD which are just line feed, carriage return characters - but that may just be function of exporting to a reg file.

Is there any way to see a hex dump of a section of the registry?

f0dder:
Hm, unless there's some other hiding thingamajig going on, I'll just attribute this weirdness to buggy software doing it's registry writes in a silly way :). Pretty weird that all the keys are empty though. You could try posting about this at the sysinternals RKR forum, see if anybody there has a clue.

Navigation

[0] Message Index

[*] Previous page

Go to full version