RootkitRevealer v1.10 results

Thought I'd throw this up in case people wanted to compare results.

Not sure what that first one's about, but the three after that are probably due to the fact that I'm running Javacool's IDBlaster.

NetWatchman has a couple, but they're no concern - all the rest are dated so far back (probably from when I installed the not-so-new-anymore hard-drive) that they're of no concern, either.

Pretty cool program, all-in-all. Pete

 

Found one registry discrepancy worth looking at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System

From the new help file:

Key name contains embedded nulls.

The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings. Thus, it is possible to create Registry keys that are visible to the operating system, yet only partially visible to Registry tools like Regedit. The Reghide sample code at Sysinternals demonstrates this technique, which is used by both malware and rootkits to hide Registry data.

Nick

 

It turns out that the key value is not viewable in Regedit, even with SYSTEM privileges. I had to use RegdatXP to view a registry dump and found this.

Nick

 

oooh ohhhhh, something bad is going on again...

till some product (like those rootkit killers...) is effectively tested against a lot of rootkits by some real antitrojan specialists, I won't begin to compare with results...cause I'll end up with the same questions asked, just like you Pete and to be honest...a fresh install with pg keeps me safe till further notice I think.

I love regrun (registered gold member) but I need far more info to test such rootkit killers or even use them myself manually.

But I am mostly interested what all those things mean at your machine, maybe some expert in this area can elaborate this further cause this is most interesting...some guidelines are appreciated.

Inf.

 

If you run RootkitRevealer v1.10 at least once, you will likely see this error in your System event log after every reboot:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 3/2/2005
Time: 7:19:18 PM
User: N/A
Computer:
Description:
The following boot-start or system-start driver(s) failed to load:
RKREVEAL110

The error can be eliminated by deleting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RKREVEAL110

Just a heads up.

Nick

 

Thanx Spanner, mostly interesting and trying it at the moment

 

nick s - As I 'm sure you know by now, a fix was made for that problem (no change in version #, just a new, fixed one put up for d/l.

So I'm down to only 15 entries now:
C:\$AttrDef 2/11/2004 7:00 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2/11/2004 7:00 AM 152.66 GB Hidden from Windows API.
C:\$Bitmap 2/11/2004 7:00 AM 4.77 MB Hidden from Windows API.
C:\$Boot 2/11/2004 7:00 AM 8.00 KB Hidden from Windows API.
C:\$Extend 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$LogFile 2/11/2004 7:00 AM 64.00 MB Hidden from Windows API.
C:\$MFT 2/11/2004 7:00 AM 36.27 MB Hidden from Windows API.
C:\$MFTMirr 2/11/2004 7:00 AM 4.00 KB Hidden from Windows API.
C:\$Secure 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$UpCase 2/11/2004 7:00 AM 128.00 KB Hidden from Windows API.
C:\$Volume 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.

(Which, BTW, are the same 15 shown in the example over on the PCWorld article - and thus benign).

However, this time around I got a warning from ProcessGuard that RKR was trying to set a global mouse hook:

"Thu 03 - 13:24:46 [GLOBAL HOOK] [3292] was blocked from creating a global Mouse hook" - which I really don't remember getting last time (physical memory NOT TOO GOOD here! ). I allowed it so that it wouldn't affect the test results, then removed the allow afterwards. Pete

 

Hi spy1,

I think they released the latest build (timestamped 3/3/2005 11:02 AM) about the same I was posting that. They released an updated build of Autoruns 7.0 about the same time (fixing a bug that caused a crash when scanning Winsock providers).

My results are now identical to yours. However, I have yet to get that PG alert after several scans on different systems.

Nick