Results 1 to 5 of 5

Thread: Please comment on RootAlyzer log file...

  1. #1
    Junior Member
    Join Date
    Nov 2008
    Posts
    3

    Default Please comment on RootAlyzer log file...

    Log file from RootAlyzer. Please take a look and let me know. I suspect the pinnacle files are ok but I'm wondering most about the inprocserver32 reg entries with the zero character. I'm slightly curious about the .flv file that has the "no admin in acl" comment.

    Any help is appreciated.

    thanks.


    // info: Rootkit removal help file
    // copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Unknown ADS","E:\VidOut\Render\WORKATHOME 0D7F0388\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\WIP_CHRISTMAS 6CBA035E\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\WIP_CHRISTMAS 6CBA035E\DVD\StudioSequence\temp\studiosequence(1).m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\WIP_CHRISTMAS 6CBA035E\DVD\StudioSequence\temp\studiosequence.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\SWB1 4BDD0157\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\PSYCH INTRO 2FC1029E\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\LADDER 93DA00C2\DVD\StudioSequence\temp\studiosequence.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\JUDY BELL 6BA8035A\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\INTRODUCTION 4A7E02D8\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 00.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 01.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 02.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 03.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence 04.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GUITARSTYLES 435402DC\DVD\StudioSequence\temp\studiosequence.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GETTING AWAY 5F28011C\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\VidOut\Render\GETTING AWAY 5F28011C\DVD\StudioSequence\temp\studiosequence.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\RECYCLER\S-1-5-21-1417001333-484763869-839522115-500\De2\Render\MY MOVIE EC1600BB\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"Unknown ADS","E:\RECYCLER\S-1-5-21-1417001333-484763869-839522115-500\De2\Render\MY MOVIE C9B000EC\tmp.m2v:PinnacleIndex_0:$DATA"
    File:"No admin in ACL","E:\content\James16\AudPsych.flv"
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!
    RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\","InprocServer32\0"
    // Attention: entries with a zero character will not be displayed correctly and may not work!

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    The "Zero char in key name" entries are also listed here as a part of Pinnacle Studio hiding its registration information from hackers using hackers methods Not nice, but not dangerous.

    The "Unknown ADS" parts are indeed harmless additional information stored in ADS. Will see if I can whitelist that

    As for the AudPsych.flv file, is that one you stored there and you can still see in Explorer? In that case you probably just wanted to restrict access to it to your account?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  3. #3
    Junior Member
    Join Date
    Nov 2008
    Posts
    3

    Default

    Quote Originally Posted by PepiMK View Post
    The "Zero char in key name" entries are also listed here as a part of Pinnacle Studio hiding its registration information from hackers using hackers methods Not nice, but not dangerous.

    The "Unknown ADS" parts are indeed harmless additional information stored in ADS. Will see if I can whitelist that

    As for the AudPsych.flv file, is that one you stored there and you can still see in Explorer? In that case you probably just wanted to restrict access to it to your account?
    Thanks a lot for the speedy response. I greatly appreciate it.

    The AudPsych.flv file is visible in Explorer. I noticed it has zero bytes in it so I deleted it.

    What about the inprocserver registry entries with the zero characters? Any comments on that? Should I remove them?

    thanks,

    D
    Last edited by Fijiguy; 2008-11-25 at 23:11.

  4. #4
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    See my first sentence above ^^
    They belong to Pinnacle Studio as well, a hackers method to hide license info from hackers.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #5
    Junior Member
    Join Date
    Nov 2008
    Posts
    3

    Default

    Quote Originally Posted by PepiMK View Post
    See my first sentence above ^^
    They belong to Pinnacle Studio as well, a hackers method to hide license info from hackers.
    Ok thanks I did not make the connection. I spent 25 years in IS and still I'm a techopeasant.

    Regards,

    Fijiguy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •