Weird results from rootkit revealer

Discussion in 'malware problems & news' started by Andrewski, Apr 10, 2005.

Thread Status:
Not open for further replies.
  1. Andrewski

    Andrewski Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    I just scanned my pc using the latest version of rootkit revealer (1.4) and found these strange entries:

    HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 2/24/2005 8:20 PM 26 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 2/25/2005 1:05 AM 0 bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet001\Services\coolprt\Cfg\0Jf40 4/10/2005 9:06 PM 0 bytes Hidden from Windows API.

    Not surprisingly, they didn't show up in regedit so I loaded a bootcd & found the files. I then exported them to a reg file & deleted them. When I restarted, I scanned again and

    HKLM\SYSTEM\ControlSet001\Services\coolprt\Cfg\0Jf40 4/10/2005 9:06 PM 0 bytes Hidden from Windows API.

    Showed up again. I have the reg files on my harddrive but they're all hex, nothing comprehensible. Also, I googled coolprt and couldn't find anything. I looked in my system32/drivers and found a file named coolprt.sys that is 5kb and in the description says "SCSI miniport".THere's no company name or other info except for the version which says "3.47.0.0 built by: WinDDK". Upon googling this, it came up with results for nero and Alcohol 120%, both of which I have installed. What I'm wondering is, is there anything to be concerned about or is it just a component of one of those programs? Thanks for your time :)
     
  2. controler

    controler Guest

  3. Andrewski

    Andrewski Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    Huh? Maybe I'm just stupid, but that post doesn't mean anything to me =/
     
  4. controler

    controler Guest

    That is the only google I found with reference to coolprt.

    It seems strange using the same abbreviation for printer and port PRT.

    I was getting a registry entry from rootkitrevealer that I thought for sure was related to a file sharing program called Bitcomet.
    It always comes back when deleted.
    With the latest version of rootkitrevealer, I don't get that entry anymore.

    My laptop has a miniport driver ( modem) also and rootkitrevealer doesn't tag it.
    I was able to view my files in regedit though.
    I am sure you have your system set to show system & hidden files?

    Bruce
     
  5. Andrewski

    Andrewski Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    Yeah..and, as I said I was able to view the keys using a bootable os.
     
  6. Mephisto

    Mephisto Guest

    Services\coolprt ... It looks like its running as a Windows service. You should be able to find it in the list of services. If it is a hidden service then you may have something bad going on.

    Do you use a coolport outlet?
    Coolport outlets enable you to operate up to 3 different devices (PC, Tel or Fax) over one cable.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.