What does this root kit scan reveal?

That is not helpful David. If you don't have something helpful to say then
you don't need to reply.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OePF1$mAJHA.4748@TK2MSFTNGP06.phx.gbl...
> From: "Henry Stock" <henry.TakeThisOut@henry-stock.com>
>
> | I just ran a sysinternals rootkit scan on my system, a Windows XP Pro
> | Service Pack 3 level. Service Pack 3 as of this past week.
>
> | I am not sure what this reveals, but I don't like seeing anything in
> this
> | scan... I was wondering if anyone could tell me if I have some action
> items
> | to take care or here.
>
> If you can't interpret a RootKit scanner's log then you should NOT be
> running it!
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

"Henry Stock" wrote:

> I just ran a sysinternals rootkit scan on my system, a Windows XP Pro
> Service Pack 3 level. Service Pack 3 as of this past week.
>
> I am not sure what this reveals, but I don't like seeing anything in this
> scan... I was wondering if anyone could tell me if I have some action items
> to take care or here.
> Path
> | Timestamp
> Size
> Description
>
> HKLM\SECURITY\Policy\Secrets\SAC*
> 2/23/20071:50 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SECURITY\Policy\Secrets\SAI*
> 2/23/20071:50 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1 -11D0-995D-00C04FD919C1}*
> 2/23/2007 4:18 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SECURITY\Policy\Secrets\SCM:{D7C43E6C-5DD84026-A7DA41959AA852B8}*
> 2/23/2007 4:18 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
> 8/19/2008 3:08 PM
> 80 bytes
> Data mismatch between Windows API and raw hive data.
>
>
These are all typical of a clean XP machine.

In my experience many software companies make Rootkits hard to detect by
violating registry and API rules.

For example, McAfee anti-virus writes registry keys with embedded nulls.

I scanned an infected Acer laptop where Acer had hidden 67,000 files from
the Windows API! Couldn't go any furthe, user had to re-install.

--
Regards,
Newell White

You can always post your logs in a forum devoted to
RootkitRevealer Logs for assistance in interpretation of said logs -
http://forum.sysinternals.com/forum_topics.asp?FID=17

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Henry Stock wrote:

> That is not helpful David. If you don't have something helpful to say then
> you don't need to reply.
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:OePF1$mAJHA.4748@TK2MSFTNGP06.phx.gbl...
>
>>From: "Henry Stock" <henry.DeleteThis@henry-stock.com>
>>
>>| I just ran a sysinternals rootkit scan on my system, a Windows XP Pro
>>| Service Pack 3 level. Service Pack 3 as of this past week.
>>
>>| I am not sure what this reveals, but I don't like seeing anything in
>>this
>>| scan... I was wondering if anyone could tell me if I have some action
>>items
>>| to take care or here.
>>
>>If you can't interpret a RootKit scanner's log then you should NOT be
>>running it!
>>
>>--
>>Dave
>>http://www.claymania.com/removal-trojan-adware.html
>>Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>
>
>

Henry Stock wrote:

> I just ran a sysinternals rootkit scan on my system, a Windows XP Pro
> Service Pack 3 level. Service Pack 3 as of this past week.
>
> I am not sure what this reveals, but I don't like seeing anything in this
> scan... I was wondering if anyone could tell me if I have some action items
> to take care or here.
> Path
> | Timestamp
> Size
> Description
>
> HKLM\SECURITY\Policy\Secrets\SAC*
> 2/23/20071:50 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SECURITY\Policy\Secrets\SAI*
> 2/23/20071:50 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1 -11D0-995D-00C04FD919C1}*
> 2/23/2007 4:18 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SECURITY\Policy\Secrets\SCM:{D7C43E6C-5DD84026-A7DA41959AA852B8}*
> 2/23/2007 4:18 PM
> 0 bytes
> Key name contains embedded nulls (*)
>
> HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
> 8/19/2008 3:08 PM
> 80 bytes
> Data mismatch between Windows API and raw hive data.

Null characters are used to prevent accidental or casual deletion of
important entries in the registry; however, sometimes malware will use
this method to keep their entries in the registry. Some software has
legitimate use of the NUL character. I've seen SecureRom and other
copy-protection software that adds a special value to the registry after
installing a protected program and they use an embedded NUL to keep
casual or uneducated users from deleting this key which, if absent,
would prevent the protect software from loading or functioning properly.

Regedit.exe and other typical registry tools uses the Win32 API to
query, create, and delete the registry. Registry keys and their values
are NULL terminated (with the ¡\0' character). This normally indicates
the end of the record; however, the *native* API (the undocumented API
exposed through NtDll.dll) allows embedded ¡\0' characters for strings
that specify their length rather than are null terminated. If malware
creates such a value with an additional NULL, RegEdit may fail to see it
and it fail to edit or delete it. The real or native name in the
database is different than the parsed string value for it as seen by
regedit.exe using the normal system calls to the Win32 API.

When you use regedit.exe, it parses the key names but actions committed
on them result in using the parsed name instead of an object handle on
them. So NUL characters, which cannot be displayed, are not in the
parsed string value for a key name but they are in the actual name. The
result is what you try to do in regedit.exe on that special key name is
trying to commit an action on the real key but which does use those
non-printable characters in its name. What you see is NOT what is used
for the real key name. This old tactic is sometimes used in filenames,
too.

Read:

http://technet.microsoft.com/en-us/sysinternals/bb897448.aspx
http://www.xpregistrycleaner.com/embedded-null-characters/index.html

HKLM\SECURITY is probably a place you shouldn't be putzing around
inside. It is usually a repository for passwords (i.e., used by the LSA
private data store). I've heard, but not confirmed, that some
anti-malware software puts entries there, like Spy Sweeper. There are
some keys in the registry that remain hidden even to administrators as
direct access through regedit is not supported through the Win32 API.
When using regedit.exe, you'll only see HKLM\Security but nothing under
it because it uses the Win32 API. There is a trick to seeing the
subkeys under HKLM\Security. At a command prompt, run:

at hh:mmrr /interactive regedit.exe

where hh:mm are just a minute away from the current time (and rr is "am"
or "pm"). Now when regedit.exe opens a minute later, you can see those
subkeys. The 'at' command runs under the System account rather than the
current user's account (even if an admin-level account). Likewise, you
can use SysInternals psexec to run:

psexec -sid regedit.exe

While I've provided the means to get at those normally hidden keys
(hidden even from admins), if you change anything there then be ready to
recover your partition from a backup image saved earlier. They are
hidden to keep even admins from shooting themselves in their own feet.
Even after running regedit.exe under the System account to get at the
subkeys, the SAC and SAI subkeys use NULs to keep out admins accessing
the registry using the Win32 API. Obviously you should not be sticking
your fingers in there unless you are highly skilled at editing and
maintaining the registry. I won't touch entries there despite my
better-than-average skill in managing the registry. The put board over
the mouse hole so you wouldn't see it, and they put mousetraps behind
the board to whack your fingers if you try to stick them inside the
hole.

Not everything that a rootkit scanner reports is bad. For example, if
you use Daemon Tools, a CD/DVD drive emulator, it hides its driver in a
root-like fashion (because some copy-protected software will look for it
and, if found, will refuse to run). If you don't understand what a
rootkit scanner reports, don't do anything about the items it reports.
You can do more damage to your OS editing keys that are normally hidden
than the damage caused by malware.

If you want to go digging into the LSA secrets (password) area, use
tools designed to do that, like Nirsoft's LSASecretsDump
(http://www.nirsoft.net/utils/lsa_secrets_view.html). Its description
is:

"LSASecretsDump is a small console application that extract the LSA
secrets from the Registry, decrypt them, and dump them into the console
window. The LSA secrets key is located under
HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain your RAS/VPN
passwords, Autologon password, and other system passwords/keys."

A GUI viewer version is at
http://www.nirsoft.net/utils/lsa_secrets_dump.html.

Henry Stock wrote:

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:OePF1$mAJHA.4748@TK2MSFTNGP06.phx.gbl...
>> From: "Henry Stock" <henry.DeleteThis@henry-stock.com>
>>
>>| I just ran a sysinternals rootkit scan on my system, a Windows XP Pro
>>| Service Pack 3 level. Service Pack 3 as of this past week.
>>
>>| I am not sure what this reveals, but I don't like seeing anything in
>> this
>>| scan... I was wondering if anyone could tell me if I have some action
>> items
>>| to take care or here.
>>
>> If you can't interpret a RootKit scanner's log then you should NOT be
>> running it!
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
> That is not helpful David. If you don't have something helpful to say then
> you don't need to reply.

Unfortunately the respondents here cannot physically run over to the
child to grab the revolver out of their hands. The only equivalent here
is "Do NOT touch under penalty of operating system death".

"Henry Stock" <henry.RemoveThis@henry-stock.com> wrote in message
news:ex3qPemAJHA.3728@TK2MSFTNGP03.phx.gbl...
>I just ran a sysinternals rootkit scan on my system, a Windows XP Pro
>Service Pack 3 level. Service Pack 3 as of this past week.
>
Try other rootkit scanners that are more user-friendly, such as Sophos' free
download.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html