Please comment on RootAlyzer log file...

[Fijiguy]

Log file from RootAlyzer. Please take a look and let me know. I suspect the pinnacle files are ok but I'm wondering most about the inprocserver32 reg entries with the zero character. I'm slightly curious about the .flv file that has the "no admin in acl" comment.

Any help is appreciated.

thanks.


// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","E:\VidOut\Render\WORKATHOME 0D7F0388\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\WIP_CHRISTMAS 6CBA035E\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\WIP_CHRISTMAS 6CBA035E\DVD\StudioSequence\temp\studiosequence(1).m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\WIP_CHRISTMAS 6CBA035E\DVD\StudioSequence\temp\studiosequence.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\SWB1 4BDD0157\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\PSYCH INTRO 2FC1029E\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\LADDER 93DA00C2\DVD\StudioSequence\temp\studiosequence.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\JUDY BELL 6BA8035A\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\INTRODUCTION 4A7E02D8\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 00.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 01.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 02.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 03.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 04.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GETTING AWAY 5F28011C\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\VidOut\Render\GETTING AWAY 5F28011C\DVD\StudioSequence\temp\studiosequence.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\RECYCLER\S-1-5-21-1417001333-484763869-839522115-500\De2\Render\MY MOVIE EC1600BB\tmp.m2vinnacleIndex_0:$DATA"
File:"Unknown ADS","E:\RECYCLER\S-1-5-21-1417001333-484763869-839522115-500\De2\Render\MY MOVIE C9B000EC\tmp.m2vinnacleIndex_0:$DATA"
File:"No admin in ACL","E:\content\James16\AudPsych.flv"
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\","InprocServer32\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!

 

[PepiMK]

The "Zero char in key name" entries are also listed here as a part of Pinnacle Studio hiding its registration information from hackers using hackers methods Not nice, but not dangerous.

The "Unknown ADS" parts are indeed harmless additional information stored in ADS. Will see if I can whitelist that

As for the AudPsych.flv file, is that one you stored there and you can still see in Explorer? In that case you probably just wanted to restrict access to it to your account?

 

[Fijiguy]

The "Zero char in key name" entries are also listed here as a part of Pinnacle Studio hiding its registration information from hackers using hackers methods Not nice, but not dangerous.

The "Unknown ADS" parts are indeed harmless additional information stored in ADS. Will see if I can whitelist that

As for the AudPsych.flv file, is that one you stored there and you can still see in Explorer? In that case you probably just wanted to restrict access to it to your account?

Thanks a lot for the speedy response. I greatly appreciate it.

The AudPsych.flv file is visible in Explorer. I noticed it has zero bytes in it so I deleted it.

What about the inprocserver registry entries with the zero characters? Any comments on that? Should I remove them?

thanks,

D

 

[PepiMK]

See my first sentence above ^^
They belong to Pinnacle Studio as well, a hackers method to hide license info from hackers.

 

[Fijiguy]

See my first sentence above ^^
They belong to Pinnacle Studio as well, a hackers method to hide license info from hackers.

Ok thanks I did not make the connection. I spent 25 years in IS and still I'm a techopeasant. :red:

Regards,

Fijiguy