What's this? RKR result

Discussion in 'other anti-malware software' started by argus tuft, Jan 30, 2007.

Thread Status:
Not open for further replies.
  1. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    hi all, Apologies for title, too tired to think straight :oops:
    I just ran rootkit revealer, and it showed an entry in the registry that looks a bit odd.
    the key in question is
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\|||.*rtyHandlers

    only the ||| were closer together, and the dot immediately after was
    about equal height with the bar in 'H'
    the time stamp was over a month ago, and everything else looked ok.
    Googling the key showed no results
    The entries that i can see through regedit under the reinstall key seem to relate
    to various drivers mouse, graphics sound cards etc.
    I realize its most likely nothing, but it would be nice to be sure!
    Thanks
     
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I'm not too clued up on RKR logs as they tend to generate some quite spurious data at times.

    What would be best is to utilize the current most advanced Rootkit forensic tool available in the public arena and see what that is reporting.

    If your game download RootKit Unhooker from
    http://www.rku.xell.ru/?l=e&a=dl

    **Do not take any actions unless directed as this is a very poweful tool and is capable of some neat stuff but also if misused can do crazy things too;)

    Using report function far right tab,tick all box's and copy& paste the scan results to a reply and i will happily advise you on any suspicious entries present and actions required :)

    *Don't panic if there is lots of data as the tool will report legitimate activities/objects as well as bad stuff,its just looking in all the right places!
     
  3. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Thanks fcukdat, downloading now. I'll post results in a bit :)
     
  4. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    I ran RkU, it detected a parasite inside itself, which it seemed to be able to fix... It does seem to be quite long, sorry. I assume that safemon.sys is something to do with SSM? (I have it installed but not running) and im pretty sure sandbox.sys relates to sandboxie?
    The report is as follows:


    Thanks for your time and effort :D
     

    Attached Files:

    • Log.txt
      File size:
      25 KB
      Views:
      38
    Last edited by a moderator: Jan 31, 2007
  5. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Everything in your log of RKU related to Sandboxie and SSM. False alarms.

    And BTW instead of posting this huge log directly you can post it as attach :)
     
  6. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Thanks EP_X0FF, fcukdat for your time and help :)
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Instead of saying False Alarms I feel it would be more accurate to inform the user that it's simply info gathered. Those RKR results are basically no different than what RkUnhooker or any other rootkit detector would report :doubt:

     
Loading...
Thread Status:
Not open for further replies.