View Full Version : Rootkit found?
r00t
March 30th, 2005, 12:01 PM
Rootkit Revealer found 2 registry files:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* (O&O Defrag?)
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Prefetcher\TracesProcess
Anyone knwo what the are for sure?
nick s
March 30th, 2005, 12:30 PM
-{ Quote: "Rootkit Revealer found 2 registry files:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* (O&O Defrag?)
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Prefetcher\TracesProcess
Anyone knwo what the are for sure?" }-Hi r00t,
The O&O key is harmless. It is part of O&O products' (such as O&O Defrag) install procedure. The prefetcher key (which is not hidden on my system) may have changed while RootkitRevealer was scanning and comparing the registry. If it did, it will be flagged as a suspicious mismatch.
Nick
r00t
March 30th, 2005, 04:16 PM
Ok thanks Nick :).
judorock
April 24th, 2005, 03:09 PM
I found 3 registry keys with embedded nulls:
HKLM\SYSTEM\ControlSet00n\Services\||||*9052-97CA-4621-8519-3FE5D506CF51}
Should I be worried?
signed,
novice and naive
nick s
April 24th, 2005, 08:47 PM
-{ Quote: "I found 3 registry keys with embedded nulls:
HKLM\SYSTEM\ControlSet00n\Services\||||*9052-97CA-4621-8519-3FE5D506CF51}
Should I be worried?
signed,
novice and naive" }-Hi judorock,
Generally, if the key and its contents are visible in Windows' registy editor, then it is not related to a rootkit. If you are comfortable with regedit, check to see if they are visible. Note that n is a variable representing a number and that you may have two or more ControlSet... keys. If you need help, I can walk you through it.
Nick
judorock
April 24th, 2005, 09:15 PM
there are three lines where n=1, 2, and 3
I've never used regedit and only know enough to be scared of really mucking things up. Sounds like I might be able to use regedit just to look at things?
nick s
April 24th, 2005, 09:27 PM
-{ Quote: "there are three lines where n=1, 2, and 3
I've never used regedit and only know enough to be scared of really mucking things up. Sounds like I might be able to use regedit just to look at things?" }-It is safe to view the registry with regedit. You will be asked to confirm deletions if you accidentally try to delete something, and making most changes is usually a multi-step procedure. However, it is a good practice to make regular registry backups using something like ERUNT (http://www.larshederer.homepage.t-online.de/erunt/).
Nick
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums