Weird results from rootkit revealer

Discussion in 'malware problems & news' started by Andrewski, Apr 10, 2005.

Thread Status:
Not open for further replies.
  1. Andrewski

    Andrewski Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    I just scanned my pc using the latest version of rootkit revealer (1.4) and found these strange entries:

    HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 2/24/2005 8:20 PM 26 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 2/25/2005 1:05 AM 0 bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet001\Services\coolprt\Cfg\0Jf40 4/10/2005 9:06 PM 0 bytes Hidden from Windows API.

    Not surprisingly, they didn't show up in regedit so I loaded a bootcd & found the files. I then exported them to a reg file & deleted them. When I restarted, I scanned again and

    HKLM\SYSTEM\ControlSet001\Services\coolprt\Cfg\0Jf40 4/10/2005 9:06 PM 0 bytes Hidden from Windows API.

    Showed up again. I have the reg files on my harddrive but they're all hex, nothing comprehensible. Also, I googled coolprt and couldn't find anything. I looked in my system32/drivers and found a file named coolprt.sys that is 5kb and in the description says "SCSI miniport".THere's no company name or other info except for the version which says "3.47.0.0 built by: WinDDK". Upon googling this, it came up with results for nero and Alcohol 120%, both of which I have installed. What I'm wondering is, is there anything to be concerned about or is it just a component of one of those programs? Thanks for your time :)
     
  2. controler

    controler Guest

  3. Andrewski

    Andrewski Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    Huh? Maybe I'm just stupid, but that post doesn't mean anything to me =/
     
  4. controler

    controler Guest

    That is the only google I found with reference to coolprt.

    It seems strange using the same abbreviation for printer and port PRT.

    I was getting a registry entry from rootkitrevealer that I thought for sure was related to a file sharing program called Bitcomet.
    It always comes back when deleted.
    With the latest version of rootkitrevealer, I don't get that entry anymore.

    My laptop has a miniport driver ( modem) also and rootkitrevealer doesn't tag it.
    I was able to view my files in regedit though.
    I am sure you have your system set to show system & hidden files?

    Bruce
     
  5. Andrewski

    Andrewski Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    Yeah..and, as I said I was able to view the keys using a bootable os.
     
  6. Mephisto

    Mephisto Guest

    Services\coolprt ... It looks like its running as a Windows service. You should be able to find it in the list of services. If it is a hidden service then you may have something bad going on.

    Do you use a coolport outlet?
    Coolport outlets enable you to operate up to 3 different devices (PC, Tel or Fax) over one cable.
     
Loading...
Thread Status:
Not open for further replies.