Just curious on how to go about understanding what the results from the Deep Scan mean. I have 2 objects but don't have any idea how to interpret them.
Just curious on how to go about understanding what the results from the Deep Scan mean. I have 2 objects but don't have any idea how to interpret them.
I was originally thinking my question would be one of those "Damn I should have known" type of things, but seeing as there have been 90 or so views with no replys maybe it wasn't so obvious.
Coronamaker:
If you stated what the "2 objects" are, perhaps someone could help.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
md usa, I understand where you are coming from, I was actually looking for resources where I could go to do the research. I should have stated that better, but I just wanted to poke around and see what I could find out about the detections, then if I drew a blank I would have come back for an assist.
Since you suggested it though, I will post them here but if possible I am still looking for any resources to be able to help myself as well.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Ndi\Params\*TCPUDPChecksumOffloadIPv4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Ndi\Params\*InterruptModeration
Sorry, didn't see the topic until now.
The only information I found about it:
MSDN: Enumerating Keywords
MSDN: Using Registry Values to Enable and Disable Task Offloading
Seems to be about checksum calculation offloading; no idea why a rootkit should hide that; but registry paths are quite long and the shorter one just one character over 128; with two bytes per character that would be just over 256, a magical border that shouldn't have any effect here though. Overlength is a hidding trick, but not at this border - I just tested that both the registry supports keys of more length, and RootAlyzer as well.
You can see these two registry values through regedit.exe ?
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
Hi Pepi sorry about the delay, I saw your message but was at work.
I can see the registry entries in any registry editing program including the Windows regedit. I would be happy to send you the exported registry string (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}) by PM or e-mail if you want to have a closer look at what all is included in there. Just let me know and I'll be happy to send that or whatever else you may need.
I think I found the problem. Have tested it on a dozen virtual machines and found one configuration where I could reproduce it. Have fixed it, works fine on this machine now, will continue a bit of testing and upload a new version later
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
I have an registry entry that RootAlyzer has found.
Here it is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\
It looks like it is a part of an Adobe product.
Here is the Entry Under the Name column in the right hand of the Registry Editor Screen: AV141C35E9F4BF344B9F2010BB17F68A
The Registry Type is: REG_SZ
Here is the Data Value to the right of the Registry Editor screen: 02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\-{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}-\Registered
Located above these there is another Name, Type and Value. In the name field it says- (Default). In the Tpye field it Says REG_SZ. In the Data Field It says (value not set).
Is this registry entry that RootAlyzer shows as a rootkit safe or should I delete the entry from the Registry Editor?
Any help is appreciated. Thanks in advance.