Rootkit found?

Discussion in 'privacy problems' started by r00t, Mar 30, 2005.

Thread Status:
Not open for further replies.
  1. r00t

    r00t Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    33
    Rootkit Revealer found 2 registry files:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* (O&O Defrag?)

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Prefetcher\TracesProcess

    Anyone knwo what the are for sure?
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi r00t,

    The O&O key is harmless. It is part of O&O products' (such as O&O Defrag) install procedure. The prefetcher key (which is not hidden on my system) may have changed while RootkitRevealer was scanning and comparing the registry. If it did, it will be flagged as a suspicious mismatch.

    Nick
     
    Last edited: Mar 30, 2005
  3. r00t

    r00t Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    33
    Ok thanks Nick :).
     
  4. judorock

    judorock Guest

    I found 3 registry keys with embedded nulls:
    HKLM\SYSTEM\ControlSet00n\Services\||||*9052-97CA-4621-8519-3FE5D506CF51}
    Should I be worried?
    signed,
    novice and naive
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi judorock,

    Generally, if the key and its contents are visible in Windows' registy editor, then it is not related to a rootkit. If you are comfortable with regedit, check to see if they are visible. Note that n is a variable representing a number and that you may have two or more ControlSet... keys. If you need help, I can walk you through it.

    Nick
     
  6. judorock

    judorock Guest

    there are three lines where n=1, 2, and 3
    I've never used regedit and only know enough to be scared of really mucking things up. Sounds like I might be able to use regedit just to look at things?
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    It is safe to view the registry with regedit. You will be asked to confirm deletions if you accidentally try to delete something, and making most changes is usually a multi-step procedure. However, it is a good practice to make regular registry backups using something like ERUNT.

    Nick
     
Thread Status:
Not open for further replies.