Results 1 to 10 of 10

Thread: Interpreting Results

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    9

    Default Interpreting Results

    Just curious on how to go about understanding what the results from the Deep Scan mean. I have 2 objects but don't have any idea how to interpret them.

  2. #2
    Junior Member
    Join Date
    Jan 2006
    Posts
    9

    Default

    I was originally thinking my question would be one of those "Damn I should have known" type of things, but seeing as there have been 90 or so views with no replys maybe it wasn't so obvious.

  3. #3
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Coronamaker:

    If you stated what the "2 objects" are, perhaps someone could help.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  4. #4
    Junior Member
    Join Date
    Jan 2006
    Posts
    9

    Default

    md usa, I understand where you are coming from, I was actually looking for resources where I could go to do the research. I should have stated that better, but I just wanted to poke around and see what I could find out about the detections, then if I drew a blank I would have come back for an assist.

    Since you suggested it though, I will post them here but if possible I am still looking for any resources to be able to help myself as well.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Ndi\Params\*TCPUDPChecksumOffloadIPv4

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Ndi\Params\*InterruptModeration

  5. #5
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,591

    Default

    Sorry, didn't see the topic until now.

    The only information I found about it:

    MSDN: Enumerating Keywords
    MSDN: Using Registry Values to Enable and Disable Task Offloading

    Seems to be about checksum calculation offloading; no idea why a rootkit should hide that; but registry paths are quite long and the shorter one just one character over 128; with two bytes per character that would be just over 256, a magical border that shouldn't have any effect here though. Overlength is a hidding trick, but not at this border - I just tested that both the registry supports keys of more length, and RootAlyzer as well.

    You can see these two registry values through regedit.exe ?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  6. #6
    Junior Member
    Join Date
    Jan 2006
    Posts
    9

    Default

    Hi Pepi sorry about the delay, I saw your message but was at work.

    I can see the registry entries in any registry editing program including the Windows regedit. I would be happy to send you the exported registry string (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}) by PM or e-mail if you want to have a closer look at what all is included in there. Just let me know and I'll be happy to send that or whatever else you may need.

  7. #7
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,591

    Default

    I think I found the problem. Have tested it on a dozen virtual machines and found one configuration where I could reproduce it. Have fixed it, works fine on this machine now, will continue a bit of testing and upload a new version later
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  8. #8
    Junior Member
    Join Date
    Mar 2008
    Posts
    2

    Default

    I have an registry entry that RootAlyzer has found.
    Here it is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\

    It looks like it is a part of an Adobe product.

    Here is the Entry Under the Name column in the right hand of the Registry Editor Screen: AV141C35E9F4BF344B9F2010BB17F68A
    The Registry Type is: REG_SZ
    Here is the Data Value to the right of the Registry Editor screen: 02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\-{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}-\Registered

    Located above these there is another Name, Type and Value. In the name field it says- (Default). In the Tpye field it Says REG_SZ. In the Data Field It says (value not set).

    Is this registry entry that RootAlyzer shows as a rootkit safe or should I delete the entry from the Registry Editor?

    Any help is appreciated. Thanks in advance.

  9. #9
    Junior Member
    Join Date
    Mar 2008
    Posts
    2

    Default

    When I posted The post direcly above I saw that it didn't display the complete Registry entry that RootAlyzer found.
    I am going to attempt to attach a file with the whole text of the Registry entry in it.

  10. #10
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,591

    Default

    Could you please try the updated version 0.1.3 available here?

    I'll test on a machine with Photoshop in the next days; I seem to remember Adobe had some ugly methods for their copy protection which I wouldn't wonder could even use rootkit methods.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •