Results 1 to 5 of 5
  1. #1
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Rootkit Revealer

    I just downloaded the latest version of Rootkit Revealer as mentioned in another thread.
    When I ran it, it showed two registry entries that it said had embedded nulls in them.

    HKLMSecurityPolicySecretsSAC*
    HKLMSecurityPolicySecretsSAI*

    Looking through Regedit, I did not see either of them at that location. ( with embedded nulls, maybe that's why? )

    So, it suggested that I DL another command line file called "RegDelNull". OK, but when I ran the file from the command line, it didn't pick them up either and said none found or something like that.

    Ran RR again and it said they were still there?

    What's up, Doc? Ideas?
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  2. #2
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts

    Re: Rootkit Revealer

    I get the same. Both keys have length 0, so they don't contain any data, and don't pose a threat, I think.
    I would leave them alone.
    Also see Sysinternals Forums: HKLMSecurityPolicySecrets rootkits

  3. #3
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Rootkit Revealer

    Hans,
    Thanks for the info. I GUESS it's some common anomaly in the reg.
    I will leave them alone since I can't get at them anyway, even if I wanted to!
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  4. #4
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Rootkit Revealer

    <img src=/S/hello.gif border=0 alt=hello width=25 height=29> Bob,
    It doesn't seem like there is any need to remove those keys, given the comments at (Windows) Sysinternals as Hans mentions. Many times what first looks like malware behaviour is later found to be legitimate programs, as I'm sure you know. But as with everything else in life; when we don't know or have enough information we speculate.

    The only way I can think of to remove keys that wont be deleted or are hidden is to use privilege escalation by running the registry editor as System (maybe sometimes off line editing works).

  5. #5
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Rootkit Revealer

    Argus,
    No, I'm not going to lose any sleep over those two entries in the reg.
    I was more curious as to why they were there in the first place and why Sysinternals own remover
    ( regdelnull ) wasn't able to remove the anomalies that it found.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •