PDA

View Full Version : Interpreting Results



Coronamaker
2008-03-11, 04:35
Just curious on how to go about understanding what the results from the Deep Scan mean. I have 2 objects but don't have any idea how to interpret them.

Coronamaker
2008-03-14, 15:23
I was originally thinking my question would be one of those "Damn I should have known" type of things, but seeing as there have been 90 or so views with no replys maybe it wasn't so obvious.

md usa spybot fan
2008-03-14, 15:58
Coronamaker:

If you stated what the "2 objects" are, perhaps someone could help.

Coronamaker
2008-03-15, 00:38
md usa, I understand where you are coming from, I was actually looking for resources where I could go to do the research. I should have stated that better, but I just wanted to poke around and see what I could find out about the detections, then if I drew a blank I would have come back for an assist.

Since you suggested it though, I will post them here but if possible I am still looking for any resources to be able to help myself as well.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Ndi\Params\*TCPUDPChecksumOffloadIPv4

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Ndi\Params\*InterruptModeration

PepiMK
2008-03-15, 11:31
Sorry, didn't see the topic until now.

The only information I found about it:

MSDN: Enumerating Keywords (http://msdn2.microsoft.com/en-us/library/aa503756.aspx)
MSDN: Using Registry Values to Enable and Disable Task Offloading (http://msdn2.microsoft.com/en-us/library/aa938424.aspx)

Seems to be about checksum calculation offloading; no idea why a rootkit should hide that; but registry paths are quite long and the shorter one just one character over 128; with two bytes per character that would be just over 256, a magical border that shouldn't have any effect here though. Overlength is a hidding trick, but not at this border - I just tested that both the registry supports keys of more length, and RootAlyzer as well.

You can see these two registry values through regedit.exe ?

Coronamaker
2008-03-16, 17:38
Hi Pepi sorry about the delay, I saw your message but was at work.

I can see the registry entries in any registry editing program including the Windows regedit. I would be happy to send you the exported registry string (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}) by PM or e-mail if you want to have a closer look at what all is included in there. Just let me know and I'll be happy to send that or whatever else you may need.

PepiMK
2008-03-20, 12:40
I think I found the problem. Have tested it on a dozen virtual machines and found one configuration where I could reproduce it. Have fixed it, works fine on this machine now, will continue a bit of testing and upload a new version later :)

spunky50
2008-03-26, 02:07
I have an registry entry that RootAlyzer has found.
Here it is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\

It looks like it is a part of an Adobe product.

Here is the Entry Under the Name column in the right hand of the Registry Editor Screen: AV141C35E9F4BF344B9F2010BB17F68A
The Registry Type is: REG_SZ
Here is the Data Value to the right of the Registry Editor screen: 02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\-{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}-\Registered

Located above these there is another Name, Type and Value. In the name field it says- (Default). In the Tpye field it Says REG_SZ. In the Data Field It says (value not set).

Is this registry entry that RootAlyzer shows as a rootkit safe or should I delete the entry from the Registry Editor?

Any help is appreciated. Thanks in advance.

spunky50
2008-03-26, 02:26
When I posted The post direcly above I saw that it didn't display the complete Registry entry that RootAlyzer found.
I am going to attempt to attach a file with the whole text of the Registry entry in it.

PepiMK
2008-03-31, 13:41
Could you please try the updated version 0.1.3 available here?

I'll test on a machine with Photoshop in the next days; I seem to remember Adobe had some ugly methods for their copy protection which I wouldn't wonder could even use rootkit methods.