Spyware, Viruses, & Security forum

General discussion

Have I got a Rootkit?

by catagiron-21641143377412376766431486358644 / April 8, 2006 5:33 AM PDT

I run a Windows XP SP 2 computer, and after hearing about Sony's rootkit fiasco I wanted to find out more about them, since they sound so extremely difficult to remove. An article on the Microsoft website mentioned RootkitRevealer, a tool for detecting possible rootkits, which I downloaded.

After running the program, I was alarmed to find 12 detections:


HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*

HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*


All the above items were timestamped 13/09/2004 08:10, all sized 0 bytes, and all said in the description: 'Key name contains embedded nulls (*)' They obviously appear to be related.

The help file says a program called RegDelNul can be used to remove this sort of hidden registry key, but also says that detections aren't neccesarily rootkits, so I thought I should try to find out what these are before I try to remove them.

If anyone can tell me anything about these registry keys, or could suggest somewhere to look them up, I would be very grateful.

Thanks,
Christopher J. Wright

Discussion is locked
You are posting a reply to: Have I got a Rootkit?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Have I got a Rootkit?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Can you make heads or tails out of this?
by NWRCS / April 8, 2006 5:40 AM PDT
In reply to: Have I got a Rootkit?
Collapse -
Slightly confused...

I'm afraid I don't quite understand this article either, and the term 'apartment' is new to me, too.

Thanks for showing me, anyway!
Christopher J. Wright

Collapse -
Chris
by tomron / April 8, 2006 5:41 AM PDT
In reply to: Have I got a Rootkit?

I found this link that suggests a possible trojan,click HERE

Also install,update,and run EWIDO

As an additional layer of protection install SPYWARE BLASTER which is a preventer,not a scanner

Tom

Collapse -
Thanks, Tom!
by catagiron-21641143377412376766431486358644 / April 9, 2006 12:20 AM PDT
In reply to: Chris

Thanks for the article about the trojan. In the article there are a couple of registry entries on the list called InprocServer32, but there are no other indications that I am infected by this trojan, and also the CLSID numbers are different, so I think it's something else.

It looks like these registry keys are related to Pinnacle Studio 9, as suggested by Edward O'Daniel in his post: CLICK HERE. If you know anything about this, I would be very grateful if you could let me know.

Thank you for your help!
Christopher J. Wright

Collapse -
Chris
by tomron / April 9, 2006 12:49 AM PDT
In reply to: Thanks, Tom!

Since you suspect a rootkit,why not verify.

Click HERE

Tom

Collapse -
Thanks, again!
by catagiron-21641143377412376766431486358644 / April 10, 2006 3:58 AM PDT
In reply to: Chris

Thanks again for your help- luckily it looks like I'm clean! Grin

Christopher J. Wright

Collapse -
(NT) (NT) Sounds good,thanx for posting back
by tomron / April 10, 2006 4:08 AM PDT
In reply to: Thanks, again!
Collapse -
CnBabe?
by NWRCS / April 8, 2006 5:42 AM PDT
In reply to: Have I got a Rootkit?
Collapse -
Thanks, NWRCS!
by catagiron-21641143377412376766431486358644 / April 9, 2006 12:28 AM PDT
In reply to: CnBabe?

Thanks for the information about 'CnBabe'. Although in the article I notice on the list of added registry values there are a couple of mentions of InprocServer32, there are no other signs of infection on my computer, and also the CLSID number is different, so I think it must be something else.

It looks like the registry keys are related to Pinnacle Studio 9, as Edward O'Daniel suggested in his post: CLICK HERE. If you happen to know anything about this, I'd be very grateful to hear a reply.

Once again, thank you for your help!

Collapse -
Did you ever install Pinnacle Studio 9...
by Edward ODaniel / April 8, 2006 7:23 AM PDT
In reply to: Have I got a Rootkit?

or a SONY DVD product?

Follow this link and take the time to read the posts.

The fifth from the top indicates a methos for removing the cloaked entry(s), but do read ALL posts involved.

You might do well to actually take the time to look at the referenced sysinternals.com forums cited too.
http://www.mcse.ms/archive299-2005-11-1982691.html

Collapse -
Pinnacle Studio 9

Yes- Pinnacle Studio 9 came installed with my computer.

Thanks a lot for the link to the forum posts! I'm pretty sure that the registry keys I detected were from Pinnacle Studio 9- they all match the ones mentioned in that discussion, and I'm very grateful for your help.

So I know where they come from, but what I now need to know is whether or not they are a threat. I would really appreciate it if you, or anyone else reading this, could reply to let me know if I should remove them or not.

Thanks!
Christopher J. Wright

Collapse -
Pinnacle Studio Publishers have...
by Edward ODaniel / April 9, 2006 3:39 AM PDT
In reply to: Pinnacle Studio 9

readily admitted the 12 entries are theirs and personally I would not fret about them. I would however keep using the rootkit revealer to monitor any possible additions that might be of concern.

I was pretty sure you would catch the identical list near the bottom of that discussion if you read the whole thing--now you can relax and "let the elephant off your chest" and breathe easier. Wink

Collapse -
Thanks, Edward!

Phew- I'm very relieved to hear this isn't a problem.:D

Thank you again for all your help with this!
Christopher J. Wright

Collapse -
Little suggestion
by shankru85 / April 9, 2006 8:16 PM PDT
In reply to: Have I got a Rootkit?

To be sure not get rootkits for the future , you could try this an useful software

Go to
http://www.pcalmeglio.net/

Then look for ROOTKIT REVEALER

I know that also Fsecure distribute a Freeware rootkit scanner , but this scans only running processes .

You may use Hijackthis & Systernal Process XP as well but be sure what you're doing .

Best Regards

White [ITA]

Collapse -
Thanks, White!
by catagiron-21641143377412376766431486358644 / April 10, 2006 3:53 AM PDT
In reply to: Little suggestion

Thanks for your suggestions! In fact, it was a scan from RootkitRevealer that got me worried in the first place, but it looks like it's not a problem. Happy

Thanks!
Christopher J. Wright

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.