Results 1 to 1 of 1

Thread: Legit software using rootkit like methods - look here for hits that are ok

  1. #1
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Planet Earth

    Default Legit software using rootkit like methods - look here for hits that are ok

    This thread/topic is usedto collect information about results in RootAlyzer that are to be expected if you use legit software that uses a rootkit method to hide something, where the rootkit may be "not so nice", but not a threat.

    Product: ATI Catalyst driver
    Type: Unknown ADS
    Details: ?:\Program Files\ATI Technologies\ATI.ACE\skins\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Scrollbar:Smaller.WB4:$DATA

    Again just a manufacturer who forgot that colons may not be used as part of a filename; this entry can be safely ignored in the results list.
    Product: Baldur's Gate (Patch)
    Type: Unknown ADS
    Details: ...\Start Menu\Black Isle\Baldur's Gate\View Baldur's Gate: The Patch Readme.lnk:$DATA

    This is a mistake where the author of the installer didn't acknowledge that colons are not allowed as part of filenames, where the alternate data stream name was actually intended to be part of the filename. The only result of this is that the link may not work; removing it through the standard start menu operation should be sufficient.
    Product: Flash Disinfector
    Type: Reserved filename
    Details: ?:\autorun.inf\lpt3.This folder was created by Flash_Disinfector

    Flash Disinfector seems to try to create this file to block other malware to write a malicious autorun.inf file.
    Product: O&O Defrag
    Type: Zero char in key
    Details: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System\0

    This key might get created by O&O Defrag to store licensing information. Removal is possible with RootAlyzer or our Total Commander plugin only, but not recommended for obvious reasons as long as you use O&O Defrag
    Product: Pinnacle Studio
    Type: ZEro char in key
    Details: HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
    Details: HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}
    Details: HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}
    Details: HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}
    Details: HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}
    Details: HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}
    Details: HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}
    Details: HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}
    Details: HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}
    Details: HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}
    Details: HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
    Details: HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}

    This is Pinnacle Studio 9 hiding registration/licensing information there, according to for example Ben Fulton.
    Product: Sun Java
    Type: No admin in ACL
    Details: ?:\WINDOWS\Temp\hsperfdata_SYSTEM\*

    Seems to be related to Javas Hotspot (Performance?) Monitoring Tools, rated as harmless in a lot of discussions found on it. Would probably only appear when Java apps are running?
    Last edited by PepiMK; 2008-05-08 at 11:18. Reason: Added Pinncle Studio entry
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts