Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

registry info


  • Please log in to reply
4 replies to this topic

#1 nateface

nateface

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 24 November 2004 - 03:31 AM

okay, if somebody would be so kind as to indulge me for a few minutes.....
..
i cleaned a neighbors computer the other day. he had the PRORAT trojan.
i printed out some info on how to rid the machine of this trojan from the
Symantec website. in the procedure, it said to look in the registry under
HKLM->Software->Microsoft->Windows->CurrentVersion->Run
well, when i ran regedit and started looking, everything after Optimal
Layout was missing.... so, after checking and rechecking about 5 times
to verify that i was looking in the right place, i decided that it had to be
that this part of the registry was being hidden from my prying eyes.
i eventually was able to clean the machine and then checked the
registry again. now i see it. being the curious person that i am, i
have been trying to find some info online about how the registry works,
and how parts of it were hidden from me. i have found some sites that
skim through bits and peices of info, but nothing really hard hitting.
if there is something out there that will enlighten me in regards to the
problem i saw, i would be super-duper grateful, and would name a
resident bird in my backyard after them ("oooh, that's such a high
honor" is what i'm hearing underneath your collective breaths). okay,
the reward may not be a kings ransom, but i do have some fairly cool
birds flying in and out of my yard.
:thumbsup:

BC AdBot (Login to Remove)

 


#2 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:11:02 AM

Posted 24 November 2004 - 11:04 AM

This may be of some help. So here you go.

Demystifying the Windows Registry

http://www.bleepingcomputer.com/tutorials/demystifying-the-windows-registry/


And this is what Symantec has to say concerning the PRORAT trojan

http://securityresponse.symantec.com/avcen...oor.prorat.html

I'm not sure if this is what you are looking for, but it is a start.
BTW She will probably need to be a red bird of some kind considering.... :thumbsup:
Posted Image

#3 nateface

nateface
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 24 November 2004 - 06:02 PM

that is a very good start. however, i still don't know how the trojan hides
part of the registry.
i am going to use the tutorial that you linked to to try and figure it out.
..
now, the question is, i have at least 2 breeding cardinal pairs. one
pair is red and kitty, the other pair has yet to be named. we had
a scarlet tanager pass through our yard, but that was only for one
day, so can't say that i will see it again, but hey, it could be called
scarlet.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:02 PM

Posted 25 November 2004 - 10:18 AM

Moved this to appropriate forum. Please use the appopriate forums to ask questions in the future :thumbsup:

Not sure what you mean by it missing after Optimal
Layout ?

On another note, it is definitely possible to hide portions of the registry.

#5 nateface

nateface
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 26 November 2004 - 12:41 AM

when i was perusing the registry on his machine, there were no entries
after OptimalLayout. From Policies to WindowsUpdate was missing.
i was using the Symantec info that Scarlett refers to in her post and
checking the registry entries that they mentioned to see what was there,
and verify what his computer had was the prorat trojan. but alas, i
could not check everything due to the fact that it was hidden. so then
and there i decided to see how that was done so that i could either
circumvent something like this in the future, or go directly to the key
that hides portions of the regsitry and change it to allow everything to
show up.
not having any computer programming or related experience, i don't
know how to use the registry to do everything that i want to. so,
thought i would enlighten myself by getting acquianted with the inner
workings of windows, particularly the registry.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users