RootkitRevealer v1.10 results

Discussion in 'other anti-malware software' started by spy1, Mar 2, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thought I'd throw this up in case people wanted to compare results.

    Not sure what that first one's about, but the three after that are probably due to the fact that I'm running Javacool's IDBlaster.

    NetWatchman has a couple, but they're no concern - all the rest are dated so far back (probably from when I installed the not-so-new-anymore hard-drive) that they're of no concern, either.

    Pretty cool program, all-in-all. Pete
     

    Attached Files:

  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Found one registry discrepancy worth looking at:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System

    From the new help file:

    Key name contains embedded nulls.

    The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings. Thus, it is possible to create Registry keys that are visible to the operating system, yet only partially visible to Registry tools like Regedit. The Reghide sample code at Sysinternals demonstrates this technique, which is used by both malware and rootkits to hide Registry data.


    Nick
     

    Attached Files:

  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    It turns out that the key value is not viewable in Regedit, even with SYSTEM privileges. I had to use RegdatXP to view a registry dump and found this.

    Nick
     

    Attached Files:

    Last edited: Mar 2, 2005
  4. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    oooh ohhhhh, something bad is going on again...:)

    till some product (like those rootkit killers...) is effectively tested against a lot of rootkits by some real antitrojan specialists, I won't begin to compare with results...cause I'll end up with the same questions asked, just like you Pete and to be honest...a fresh install with pg keeps me safe till further notice I think.

    I love regrun (registered gold member) but I need far more info to test such rootkit killers or even use them myself manually.

    But I am mostly interested what all those things mean at your machine, maybe some expert in this area can elaborate this further cause this is most interesting...some guidelines are appreciated.

    Inf.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    If you run RootkitRevealer v1.10 at least once, you will likely see this error in your System event log after every reboot:

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 3/2/2005
    Time: 7:19:18 PM
    User: N/A
    Computer:
    Description:
    The following boot-start or system-start driver(s) failed to load:
    RKREVEAL110


    The error can be eliminated by deleting the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RKREVEAL110

    Just a heads up.

    Nick
     

    Attached Files:

  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Spanner, mostly interesting and trying it at the moment :D
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    nick s - As I 'm sure you know by now, a fix was made for that problem (no change in version #, just a new, fixed one put up for d/l.

    So I'm down to only 15 entries now:
    C:\$AttrDef 2/11/2004 7:00 AM 2.50 KB Hidden from Windows API.
    C:\$BadClus 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
    C:\$BadClus:$Bad 2/11/2004 7:00 AM 152.66 GB Hidden from Windows API.
    C:\$Bitmap 2/11/2004 7:00 AM 4.77 MB Hidden from Windows API.
    C:\$Boot 2/11/2004 7:00 AM 8.00 KB Hidden from Windows API.
    C:\$Extend 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
    C:\$Extend\$ObjId 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
    C:\$Extend\$Quota 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
    C:\$Extend\$Reparse 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
    C:\$LogFile 2/11/2004 7:00 AM 64.00 MB Hidden from Windows API.
    C:\$MFT 2/11/2004 7:00 AM 36.27 MB Hidden from Windows API.
    C:\$MFTMirr 2/11/2004 7:00 AM 4.00 KB Hidden from Windows API.
    C:\$Secure 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
    C:\$UpCase 2/11/2004 7:00 AM 128.00 KB Hidden from Windows API.
    C:\$Volume 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.

    (Which, BTW, are the same 15 shown in the example over on the PCWorld article - and thus benign).

    However, this time around I got a warning from ProcessGuard that RKR was trying to set a global mouse hook:

    "Thu 03 - 13:24:46 [GLOBAL HOOK] [3292] was blocked from creating a global Mouse hook" - which I really don't remember getting last time (physical memory NOT TOO GOOD here! ). I allowed it so that it wouldn't affect the test results, then removed the allow afterwards. Pete
     
    Last edited: Mar 5, 2005
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi spy1,

    I think they released the latest build (timestamped 3/3/2005 11:02 AM) about the same I was posting that. They released an updated build of Autoruns 7.0 about the same time (fixing a bug that caused a crash when scanning Winsock providers).

    My results are now identical to yours. However, I have yet to get that PG alert after several scans on different systems.

    Nick
     
Loading...
Thread Status:
Not open for further replies.