Here's a preview...

Hi,
Thank you for the Root Alyzer.
I did download it and execute it from the zip file on the desktop. How do I complete the installation in order to execute it in the future? I did not see it in the Spbbot list of plugins.
I did not find any problems with the quick scan. I got 36 entries like this one from the deep scan. They all dealt with System Certificates. There was no explanation:
Key:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Policies\Microsoft\SystemCertificates\?????k\",""
Thanks
Frank C
 
can it remove the rootkits it has found?
And btw i selected the deep scan and chose the c: drive to scan but it doesnt start scanning it says you didnt select any drives for scanning and under it writes registry scanner starting.
 
Last edited:
I've sent the email.

Would you consider adding an option to select which registry hive to scan, like the file scanning, so not only is there precise control over individual hives, but also the ability to turn off registry scanning if needed.
 
Regalyzer

Just downloaded and will be interested to see how it works. I have used Rootkit Revealer from Sysinternals, but was not able to interpret results. Being Microsoft they are bureaucratic and yet to respond to my forum registration, after 5 days!
Be curious to know the registry cleaner Robo had a problem with as I think my recent troubles began with a trusted registry cleaner :clown:
 
Just to keep everyone up-to-date, I think I've finally been able to reproduce the problems for example ddcc_7 reported - on Windows 2000 (the same registry keys do not cause any trouble on XP), and fixed them.
It was kind of similar to the problem with detecting registry keys: in rare cases, RegQueryInfoKey returns "0" as the maximum length for the name of any values inside a key (lpcMaxValueNameLen). While I see this as a possible trouble cause, since even regedit is able to ignore it, it shouldn't be mentioned here though.

I've also added that missing feature request to the bugtracker:
Select list of reg hives to scan

As for interpreting the results, only 0.1.3 will start having the "Details" column filled, and then we will have to add a helpfile providing more details on what these short "details" mean ;)
 
And then...

Hi there,

Nice tool!

I've been attempting to remove a very persistant piece of spyware, and I've used every piece of ammo I've got and can't get rid of it.

I've stumbled across this tool in my attempts.

I've got a hidden file: c:\windows\system32\drivers\sajp38.sys.

We do we do from here? I can't find it in Windows Explorer... Nothing shows up in Google about it...

It'd be handy to see the Date Modified properties, and other file properties for the file. At least we'd then have some idea if it is in fact a file that we need to concern ourselves with?

Thanks!
Max
 
Updating it...

Will we always have to come back here to check for the latest version of RootAlyzer, or will you incorporate an update feature?
Anyway, it's a great tool!
 
Found the hidden file!

Hi again,

Just a little post. The file that I couldn't find to delete? I found it... sort of...

Turns out, its being loaded as a hidden device driver. I found it in Device Manager under Hidden Devices. Very tricky, cause that means it was getting loaded under all circumstances, and wasn't a running process, and wasn't starting with "startup processes" under Windows XP.

I've disabled it tonight. I'll attempt to delete it tomorrow with Recovery Console.

BUT: Word of warning to those out there: This process was running as a spamming generator! Its just spamming and spamming. The only reason I knew it was even there was because my client got listed on about 6 spam blockers, and all their emails were getting rejected.

I haven't found this mal-ware with any tool around. Spybot, Adaware, HiJack This, CWShredder, SmitFraudFix. Nothing.

We're running Trend Micro Client Server Messaging Suite. That didn't find it.

I have scanned this machine about 30 times. I've done a System Restore. I've deleted all files that came onto the machine the day it got infected.

I ran WireShark and that didn't see any SMTP requests. The firewall didn't block it, even though I explicity blocked port 25, and it was blocking my attempts to telnet into mail servers. Then I blocked all network activity, and it was still occuring.

Netstat -oa didn't show any open or listening SMTP ports.

Its a really tricky one. I've been pulling my hair out for weeks! (I know most of you are wondering why I haven't reinstalled Windows yet... my client just doesn't want me to do that right now... And I really wanted to find it!!!)

So, in closing! Thanks to RootAlyzer. Its the only clue I had.

Cateyed
 
With W98, what are the features I shouldn't use?

PepiMK said:
Ah yes, compatibility, should've mentioned that somewhere ;)

The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

The screenshots show XP, admitted ;) Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.
Click to expand...

I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

Thanks
 
Becky said:
I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

Thanks
Click to expand...

:sad: Just starting it and... Access Violation....
Any ideas to use it on W98?

I'll copy here the bug report

date/time : 2008-04-17, 22:44:53, 740ms
computer name : AST COMPUTER
user name : user2
registered owner : My Self
operating system : Windows 98 SE build 2222
system language : English
system up time : 1 hour 19 minutes
program up time : 10 seconds
physical memory : 348/510 MB (free/total)
system resources : 80/71 (gdi/user)
free disk space : (C:) 3.36 GB
display mode : 800x600, 24 bit
process id : $ffe50f69
allocated memory : 22.89 MB
executable : ROOTALYZER.EXE
exec. date/time : 2008-03-31 12:16
version : 0.1.3.26
compiled with : BCB 2006
madExcept version : 3.0e
callstack crc : $00000000, $17bcefc0, $17bcefc0
count : 2
exception number : 1
exception class : EAccessViolation
exception message : Access violation at address 00000000. Read of address FFFFFFFF.

main thread ($ffe50ee9):
00000000 +000 ???
304f3a41 +0ed ROOTALYZER.EXE snlFilesListWinNative 92 +8 TNTFileEnumerator.EnumNTPathFileNames
30532f97 +073 ROOTALYZER.EXE snlRootKitsNTFiles 49 +8 TRootKitIndicatorNTFiles.ExecuteTests
3053354f +023 ROOTALYZER.EXE snlRootKitsList 75 +3 TRootKitIndicatorList.Process
30536752 +03a ROOTALYZER.EXE FrameUnitRKScanSimple 135 +5 TframeRKScanSimpleBase.Process
3053e069 +019 ROOTALYZER.EXE FormUnitRKIndicators 235 +3 TformRKIndicators.FormPaint
304ad6d9 +015 ROOTALYZER.EXE Forms 4471 +1 TCustomForm.Paint
304ad768 +068 ROOTALYZER.EXE Forms 4486 +5 TCustomForm.PaintWindow
30499b71 +055 ROOTALYZER.EXE Controls 7306 +4 TWinControl.PaintHandler
3049a153 +03f ROOTALYZER.EXE Controls 7462 +6 TWinControl.WMPaint
304ad88d +02d ROOTALYZER.EXE Forms 4523 +4 TCustomForm.WMPaint
30495c8f +2bb ROOTALYZER.EXE Controls 5143 +83 TControl.WndProc
304999d5 +499 ROOTALYZER.EXE Controls 7246 +105 TWinControl.WndProc
304ab1f5 +4c1 ROOTALYZER.EXE Forms 3284 +125 TCustomForm.WndProc
30499160 +02c ROOTALYZER.EXE Controls 7021 +3 TWinControl.MainWndProc
3046bb88 +014 ROOTALYZER.EXE Classes 11572 +8 StdWndProc
304b2834 +0fc ROOTALYZER.EXE Forms 7670 +23 TApplication.ProcessMessage
304b286e +00a ROOTALYZER.EXE Forms 7689 +1 TApplication.HandleMessage
304b2a8e +096 ROOTALYZER.EXE Forms 7773 +16 TApplication.Run
30540c70 +064 ROOTALYZER.EXE RootAlyzer 29 +5 initialization

thread $ffe7eccd:
bff99b32 KERNEL32.DLL
 
Hmm, I thought I had written it somewhere, but I can't find it right now :D

Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.
 
PepiMK said:
Hmm, I thought I had written it somewhere, but I can't find it right now :D

Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.
Click to expand...

Thanks a lot:bigthumb:
Now, How can I know when it is modifyed?

Thanks again
 
Found some false Positives:
:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8a97cf1e451.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8b15d5c3d38.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
Those are some faxes from the Microsoft Fax program. They are not infected or dangerous.
PacificMorrowind.
 
Update new version link

Just a suggestion: Could you please update the link on the 1st. note of this thread to point to the new version?
Thanks, Becky
 
You must log in or register to reply here.
Back
Top