Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkitrevealer - Should I Worry?


  • Please log in to reply
4 replies to this topic

#1 trodas

trodas

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Czech republic
  • Local time:02:55 AM

Posted 18 September 2007 - 03:19 PM

Posted Image

My Win2k SP4 is a "little" bit ficked up, true. For example windows positions and sizes are not remembered anymore and recently not even the powerbutton works, lol :thumbsup: But can it be these weird registry entry things?

Shall I remove them? Shall I worry?

"It is dangerous to be right in matters on which the established authorities are wrong." - Voltaire
"I believe that all the people who stand to profit by a war and who help provoke it should be shot on the first day it starts..." - Hemingway :) my config


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 PM

Posted 19 September 2007 - 01:31 PM

Sorry but I cannot read anything in your image. What problems are you having that you need to use RKR?

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

RKR: Interpreting the Output (scroll down about halfway)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 trodas

trodas
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Czech republic
  • Local time:02:55 AM

Posted 20 September 2007 - 05:01 AM

So you say the SAC* and SAI* policy registres are nothing to worry about? Good :flowers:
I already figured by myself, that the d347prt registers are my old good DeamonTools - but the rest 4 things still do worry me a little :trumpet:

Rootkit hook analyzer is running... right now.

Posted Image

Nothing suspicious, except DeamonTools here :thumbsup:

PS. the windows still do not remember window positions/sizes when listing drives, but it did that even before :inlove: It also does not like to recognize power button press, but that can be the bios too (I seen the cursed Sapphite lame not debugged bios do that before, probably a complete bios reset can fix that, I'm just lazy to type down all the settings right now...)...

"It is dangerous to be right in matters on which the established authorities are wrong." - Voltaire
"I believe that all the people who stand to profit by a war and who help provoke it should be shot on the first day it starts..." - Hemingway :) my config


#4 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:55 PM

Posted 29 September 2007 - 10:34 PM

According to a sticky post on the rootkitrevealer site, the two SAC and SAI items are totally normal. As these are the only two I've ever seen, I can't comment on the rest.

Here is where you can read about it
http://forum.sysinternals.com/forum_posts.asp?TID=8882

Maybe post #7 here will shed some light on the d637bus.sys
http://www.wilderssecurity.com/showthread.php?t=106661

Edited by tos226, 29 September 2007 - 10:42 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 PM

Posted 30 September 2007 - 07:22 AM

I still cannot read the results of the scan in the screenshot you inserted. They are unreadable for me and I can't enlarge the image.

RKR scans for hidden files and hidden registry keys while other ARKs like Blacklight scan for hidden files and hidden processes. Starting with v1.71 RKR began to scan the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded nulls. As said in the link you provided that is normal.

Also see "Info on common log entries".
WinGenerics
ODBCINST Entries
Data Mismatches
InprocServer32/embedded nulls
Zero Bytes
Daemon Tools and Alcohol software entries
Cryptography\RNG\Seed\
System Volume Information\_restore
Prefetch

EXAMPLES:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveUptime 12/26/2006 11:10 PM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveStamp 12/26/2006 11:10 PM 16 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 1/3/2007 3:58 PM 80 bytes Data mismatch between Windows API and raw hive data.
(due to something still running in the background that is accessing the Windows Cryptographic service and Windows locks that key while whatever that is running is using the service)

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\42zpces0.default\parent.lock 12/26/2006 8:11 PM 0 bytes Visible in Windows API, but not in MFT or directory index.

How Not 2 Run Rootkit Revealer
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users