possible rootkit?

hi

I ran rootkitrevealer today and it says that it found a registry key containing embedded nulls here

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 23/01/2005 13:51 0 bytes Key name contains embedded nulls (*)

I scanned with kav,trojanhunter,unhackme and MSAS and they didn't find anything,but according to sysinternals this is a technique employed by rootkits and malware to hide data

I don't know whether I should be concerned by these results or if it's just something completely innocuous,I hope someone can make some sense of this, I have to confess, i’m way out of my depth


Thanks

Kaupp

 

are you running the newest version 1.2 ?

with Hide standard NTFS medata files checked?

Bruce

 

Hi Kaupp,

RootkitRevealer spotted the same key on my system (see my post at RootkitRevealer v1.10 results). In my case, it was a result of installing O&O Defrag and DriveLED. If you want to view the contents of the key, first use ERUNT to create a registry backup. Next, use the trial version of RegdatXP to load the file called "software" that ERUNT backed up. Now you can navigate to that key and see what's there.

Nick

 

Thanks for your reply and links Nick!

I checked with regdat and it turns out to be just oodefrag workstation.

Happy Trails

 

I had a similar issue running rootkitrevealer, so I then ran ERUNT and RegdatXP, and I find that I have some keys in the following paths with embedded nulls
In HKLM\SOFTWARE\Classes\CLSID\{.....}

Each of the entries as an InprocServer32 entry which contains:

(Default value) REG_SZ C:\WINDOWS\System32\OLE32.DLL
<hex string> REG_BINARY <other hex string>
ThreadingModel REG_SZ Apartment

Should I be worried about this?

 

Hi nettlebed,

In the absence of other evidence, such as hidden files/executables and hidden registry entries pointing to services/autostarts, I would assume that those keys do no harm. System32\OLE32.DLL is a legitimate file. Mine has a version number of 2.10.35.35 (XP SP2) with an MD5 of 145AA8ECF0526C093F71117C181694AB.

Nick

 

Hi Nick.

Thanks for the reply. The reason I am a little concerned is that all the other CLSID entries have only the (Default value) and the ThreadingModel registry keys, and have no extra key with embedded nulls. Given that sysinternals.com says that this is a potential way to hide rootkits, and that the extra keys contain hex values (machine code?) I'm kinda worried...

nettie

 

It might be a good idea to send an e-mail to Mark Russinovich. I hear that he is pretty quick to reply to questions. I have read that keys with embedded nulls have legitimate uses and are used by Microsoft itself. Beyond that I have not been able to find much info.

Nick

 

bad form to quote onesself, I know, but I've just run Rootkit Detector, and it's reporting that oleaut32.dll, mscrvt.dll and ole32.dll seem to be hooked. I'm not too sure whether to be worried about this? Any advice would help.

 

If you're comfortable using the command line, try running kproccheck. The beta works with XP. You can save the output to text by adding > whatever.txt to your commands.

Nick

Edit: ran RKD here and also get a mscrvt.dll hook alert.

 

Re: possible rootkit? -- please read/new problem

I just ran Sysinternals RootkitRevealer (http://www.sysinternals.com) and it found the following registry keys with "embedded nulls" in the key "Microsoft\Internet Explorer\vars-normal." SysInternals indicates that embedded nulls can be used to hide registry data and could be a sign of a rootkit. I tried to open the keys using regedit and got the following error message: "Cannot open Vars-Normal: Error while opening key."

I have tried exporting and then deleting the key, but needless to say I can't open it so I can't delete it. I subesequently found this thread, and followed the steps above. (Thanks for that advice btw, which was excellent). I backed up with Erunt and then open the key using regdatXP.

Here's what it contains:

Name : config
Type : REG_BINARY
Value: 5C 00 00 00 61 04 06 00 6C 28 04 00 ...

Name : id
Type : REG_DWORD
Value: 0x00006996 (27030)

Name : LastChange
Type : REG_DWORD
Value: 0x00000000 (0)

Name : LastConfigDownload
Type : REG_DWORD
Value: 0x4212C512 (1108526354)

Name : LastPopup
Type : REG_DWORD
Value: 0x420EE34D (1108271949)

Name : MyCLSID
Type : REG_BINARY
Value: CD 76 8A BE BD 14 D0 42 A5 F0 C8 6B ...



The full value of MyClsid:
0000 cd 76 8a be bd 14 d0 42 ÍvŠ¾½.ÐB
0008 a5 f0 c8 6b 6f f2 ef 35 ¥ðÈkoòï5

The full value of Reg Binary

0000 5c 00 00 00 61 04 06 00 \...a...
0008 6c 28 04 00 cb 22 03 00 l(..Ë"..
0010 43 ce 53 00 db 6a 0f 00 CÎS.Ûj..
0018 53 b8 0c 00 2b 5c 0b 00 S¸..+\..
0020 23 41 09 00 3b 25 17 00 #A..;%..
0028 33 a9 15 68 87 61 83 3a 3©.h‡aƒ:
0030 f0 00 8a 77 90 67 88 65 ð.Šwgˆe
0038 b2 0d 85 65 65 b0 9d 6f ².…ee°o
0040 6e 92 8f 6e 41 b5 47 69 n’nAµGi
0048 41 8c 8f 78 05 3e 84 74 AŒx.>„t
0050 76 30 2e 00 db 55 20 00 v0..ÛU .
0058 ee 46 00 00 îF..


The key "last popup" makes me think it is harmless, but there is also a sub-branch called BinaryCache which is disturbing:

Microsoft\Internet Explorer\vars-normal\BinaryCache


Should I be concerned? What causes an error opening a key, and should it be deleted? (If so, how?)


Thanks in advance.

 

Hi Butters,

As I told nettlebed, in the absence of any other evidence, I would not assume that a rootkit is present. Do you have any IE-specific security apps or add-ons that do pop-up blocking? If you do, blocking access to that key may be a security "feature" to prevent tampering. There is a method to allow access to the key, but it involves hex-editing a backup of the "software" hive and then restoring the backup over the current file. Then you will be able to delete it. Not something I would try unless I was absolutely sure the key was malware related.

Another option, that may help provide some info about the app that uses that key, is to install the trial version of RegDefend. Then add the Microsoft\Internet Explorer\vars-normal key and subkey as protected items with all read and modify accesses set to "Ask User". Then use your computer normally and wait for RegDefend to alert you.

Nick

 

That's just the problem, I don't use IE and no IE-specific pop-up blockers are installed. (It is possible that it is related to some program that I have since uninstalled, but this installation of XP is only about a year old). I use Mozilla so I have little need for a popup blocker. I don't have any specific evidence to suggest a rootkit, however I did recently have trouble uninstalling some software that I downloaded because the program continued to run as a process (freeware, TV-listing program). I couldn't kill the process and finally had to delete the files in safemode. I then encountered difficulty emptying the recycle bin and had to do that in safemode too. After this occured I tried to scan with Pest Patrol and found that all files related to Pest Patrol had been deleted. I don't know how or when this occured. I have re-installed PP, scanned and found nothing.

I will look into Regdefend.

 

I downloaded the latest rootkitrevealer today (had a TechNet-day by David Solomon yesterday) and got exactly the same result.

(Also saw some garbage from NAV in the registry, wich I deinstalled around the time of the timestamp on the OLE32-registry entries. This beacause NAV was infected... and AVG/filemon caught it in the act of trying to replicate).