Weird reg keys surfaced at RootKitReveal Scan

Discussion in 'malware problems & news' started by Gandalf123, Oct 23, 2005.

Thread Status:
Not open for further replies.
  1. Gandalf123

    Gandalf123 Guest

    Hi dear wilders.

    i'm by no means a security expert, so i could really use some advice on this one:

    i scanned my system using RootKitReveal, and got 3 puzzling discrepencies in the registry:
    1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€쀐㸸 , discrepency: 0 bytes Key name contains embedded nulls (*)
    2) HKLM\SOFTWARE\ODBC\ODBCINST.INI\Conversor de página de código MS , discrepency: 0 bytes Hidden from Windows API.
    3) HKLM\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page-Übersetzer , discrepency: 0 bytes Hidden from Windows API.

    the last two keys contain addressing to C:\WINDOWS\System32\MSCPXL32.dll, and my guess is they are just some benign translation-feature keys. the first key (the one with the gibberish chars), however, contains 2 weird value dati:
    a) C:\WINDOWS\System32\ReinstallBackups\€쀐㸸\DriverFiles\.INF ,
    b) c:\ati\support\wxp-w2k-catalyst-7-962-031202m1-012924c\driver\2kxp_inf\cx_12924.inf
    (again, the gibberish chars are given as is). The two values seem unrelated, and it seems weird to me they should be in the same registery key.


    anyone familiar with these inf's or reg keys? are they some sort of malware?

    i'd MUCH apprechiate any knowledgable advice.
     
  2. Tom772

    Tom772 Guest

    Hi, Gandalf123,

    These two links should Help you out with what RR is detecting;

    http://www.sysinternals.com/Forum/forum_posts.asp?TID=1761&KW=ODBCINST.INI

    http://www.sysinternals.com/Forum/forum_posts.asp?TID=333& amp;KW=Reinstall

    Regards T
     
Loading...
Thread Status:
Not open for further replies.