Do I have a genuine rrrrootkit?

Do I have a genuine rrrrootkit?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Do I have a genuine rrrrootkit? Massimo 04-21-2008
Posted by Kayman on April 21, 2008, 8:36 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Mon, 21 Apr 2008 18:20:29 +0200, Massimo wrote:

> Hello,
>
> I did a full scan of my system with Avira virusscanner Free Version
> and it found nothing.
> Then a rootkit scan with Blacklight and it found nothing
> After that a rootkit scan with Trend Micro's Rootkit Buster: it found
> nothing.
> Finally I did a rootkit scan with Avira's Anti Rootkit Tool and it
> found this:
>
> Results:
> Hidden key :
>
HKEY_USERS\S-1-5-21-1614895754-796845957-682003330-1004\Software\Microsoft\Protected
> Storage System
> Provider\S-1-5-21-1614895754-796845957-682003330-1004\data
> Hidden value :
>
HKEY_USERS\S-1-5-21-1614895754-796845957-682003330-1004\Software\Microsoft\Protected
> Storage System Provider\S-1-5-21-1614895754-796845957-682003330-1004
> -> migrate
>
> Now I am not an expert and I am asking myself what to do with these
> findings.
> Do they point to a rootkit? And if so, what should be my next actions?
>
Rootkit Removal applications.
The effectiveness of an individual Rootkit removal application are
wide-ranging and it is recommended utilizing a collection of removal tools;
You are encouraged to try all of them (join relevant fora for additional
support i.e. interpretation of scan results):

DarkSpy
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/forums/viewforum.php?f=18

F-Secure BlackLight (Download Trial)
http://www.f-secure.com/blacklight/
http://www.antirootkit.com/forums/viewforum.php?f=13

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

IceSword
http://www.antirootkit.com/software/IceSword.htm
http://www.antirootkit.com/forums/index.php

RAIDE
http://www.rootkit.com/project.php?id=33
download:
http://www.rootkit.com/vault/petersilberman/RAIDE_BETA_1.zip
http://www.rootkit.com/boardm.php

Rootkit Revealer
http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx
http://forum.sysinternals.com/forum_topics.asp?FID=15

RootKit Hook Analyzer
http://www.softpedia.com/get/Security/Security-Related/RootKit-Hook-Analyzer.shtml
http://www.antirootkit.com/forums/viewforum.php?f=17

RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer
http://www.antirootkit.com/forums/viewforum.php?f=17

RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip

Sophos Anti-Rootkit - Free tool for rootkit detection and removal
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Direct link:
http://www.sophos.com/support/cleaners/sarsfx.exe
http://www.techsupportforum.com/networking-forum/security-firewalls/113585-free-sophos-anti-rootkit.html

System Virginity Verifier
http://www.softpedia.com/get/System/System-Info/System-Virginity-Verifier.shtml
http://www.antirootkit.com/forums/viewforum.php?f=25

System Virginity Verifier
http://www.antirootkit.com/software/System-Virginity-Verifier.htm
http://www.antirootkit.com/forums/viewforum.php?f=25

VICE
http://www.rootkit.com/project.php?id=20
download:
http://www.rootkit.com/vault/fuzen_op/vice.zip
http://www.rootkit.com/boardm.php

"Make sure you always read the current user instructions for your scanning
tools to see what special steps you need to take before, during and after
the clean-up process. Then, after you've found and cleaned a rootkit,
rescan the system once you reboot to double-check that it was fully cleaned
and the malware hasn't returned."

Avoiding Rootkit Infection.
"The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges."

AntiHook
http://www.infoprocess.com.au/AntiHook.php

DiamondCS ProcessGuard
http://www.diamondcs.com.au/processguard/
http://www.diamondcs.com.au/processguard/download.php

Educational viewing!
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

Posted by Dave Budd on April 22, 2008, 4:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
och@'tisnietwaar.nl says...
> Hello,
>
> I did a full scan of my system with Avira virusscanner Free Version
> and it found nothing.
> Then a rootkit scan with Blacklight and it found nothing
> After that a rootkit scan with Trend Micro's Rootkit Buster: it found
> nothing.
> Finally I did a rootkit scan with Avira's Anti Rootkit Tool and it
> found this:
>
> Results:
> Hidden key :
>
HKEY_USERS\S-1-5-21-1614895754-796845957-682003330-1004\Software\Microsoft\Protected
> Storage System
> Provider\S-1-5-21-1614895754-796845957-682003330-1004\data
> Hidden value :
>
HKEY_USERS\S-1-5-21-1614895754-796845957-682003330-1004\Software\Microsoft\Protected
> Storage System Provider\S-1-5-21-1614895754-796845957-682003330-1004
> -> migrate
>
> Now I am not an expert and I am asking myself what to do with these
> findings.
> Do they point to a rootkit? And if so, what should be my next actions?
>
> Thanks,
>
> Massimo
>
The Protected Storage System is for holding all your internet-related
passwords etc. So you don't have to type them in every time you start
your mailer or newsagent, etc etc. And because this data is a bit
sensitive, they make the reg keys hidden.
I don't think that's a rootkit.
--
Snob? Were I a snob, I wouldn't be talking to you.

Posted by Massimo on April 22, 2008, 4:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Dave,

On Tue, 22 Apr 2008 09:15:03 +0100, Dave Budd

>och@'tisnietwaar.nl says...
>> Hello,
>>
>> I did a full scan of my system with Avira virusscanner Free Version
>> and it found nothing.
>> Then a rootkit scan with Blacklight and it found nothing
>> After that a rootkit scan with Trend Micro's Rootkit Buster: it found
>> nothing.
>> Finally I did a rootkit scan with Avira's Anti Rootkit Tool and it
>> found this:
>>
>> Results:
>> Hidden key :
>>
HKEY_USERS\S-1-5-21-1614895754-796845957-682003330-1004\Software\Microsoft\Protected
>> Storage System
>> Provider\S-1-5-21-1614895754-796845957-682003330-1004\data
>> Hidden value :
>>
HKEY_USERS\S-1-5-21-1614895754-796845957-682003330-1004\Software\Microsoft\Protected
>> Storage System Provider\S-1-5-21-1614895754-796845957-682003330-1004
>> -> migrate
>>
>> Now I am not an expert and I am asking myself what to do with these
>> findings.
>> Do they point to a rootkit? And if so, what should be my next actions?
>>
>> Thanks,
>>
>> Massimo
>>
>The Protected Storage System is for holding all your internet-related
>passwords etc. So you don't have to type them in every time you start
>your mailer or newsagent, etc etc. And because this data is a bit
>sensitive, they make the reg keys hidden.
>I don't think that's a rootkit.

Thank you for your suggestion.
Though I think I will follow the advice given by Kayman in this same
thread anyhow and start my anti-rootkit studies soon. :-)

But I am glad that your reaction takes the heat from the situation.

Regards,

Massimo

Posted by VanguardLH on April 22, 2008, 5:38 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Massimo wrote:

> Finally I did a rootkit scan with Avira's Anti Rootkit Tool and it
> found this:
>
> Results:
> Hidden key :
> HKEY_USERS\<yourSID>\Software\Microsoft\Protected Storage System
> Provider\<yourSID>\data

Probably means there are data items defined that you cannot see under
the default set of permissions assigned to the container key.

> Hidden value :
> <samekey>
> -> migrate

So was the registry key really hidden? Well, not if you were logged on
as an administrator. When you used regedit.exe, did you find that key
or not? Select the key:

HKUSR\<yourSID>\Software\Microsoft\Protected Storage System\<yourSID>

Right-click on it and change permissions to add the Administrators group
(presumably you are logged in under an admin-level account which you
would need to be changing permissions). Give full control to the
Administrators group. Voila, now the data item named "migrate" shows
up. Just because you are an administrator doesn't mean you are
automatically given permission to everything. The reason is that you
could shoot yourself in your own foot and make the OS unbootable by
deleting some critical keys that even admins need to be very careful in
deleting or editing. Hiding because of permissions should not be
considered rootkit behavior. Also, that data item has a value, not a
path to an executable.

Hiding by permission is considered normal behavior, especially regarding
security mechanisms. When you, er, Avira said it was hidden, I thought
it might be the old trick of using null characters in the key's name
which makes it impossible to delete that key or get into the subkeys
(because of a quirk in the Win32API on parsing the key's name).
SysInternals has their RegDelNull utility for that old trick
(http://technet.microsoft.com/en-us/sysinternals/bb897448.aspx). This
one deletes those types of deliberately malformed named registry keys.
I don't remember its name but another utility simply strips out the null
characters to leave the registry key so you could then drill down inside
of it.

That Avira products generate false positives is not rare or unknown.
While their anti-virus program has a nice high coverage rate for
detecting pests, they also generate too many false positives.

This registry key is part of Microsoft Pstore (Protected Data Storage);
see http://msdn2.microsoft.com/en-us/library/bb432403.aspx. Pstore was
dropped in Windows Vista. The keys are still there but set to
read-only. In Windows Vista, they moved to DPAPI (see
http://msdn2.microsoft.com/en-us/library/ms995355.aspx) which has been
around since 2001 starting in Windows 2000. Dropping Pstore is why some
applications won't work correctly under Vista, like Outlook 2002 which
will always prompt for the account logins the first time Outlook
connects to those servers (it caches up the login credentials during
that Outlook session).

Posted by Massimo on April 22, 2008, 4:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,


>Massimo wrote:
>
>> Finally I did a rootkit scan with Avira's Anti Rootkit Tool and it
>> found this:
>>
>> Results:
>> Hidden key :
>> HKEY_USERS\<yourSID>\Software\Microsoft\Protected Storage System
>> Provider\<yourSID>\data
>
>Probably means there are data items defined that you cannot see under
>the default set of permissions assigned to the container key.
>
I doubt that? 'the container key'... if you mean by that:
HKEY_USERS\<yourSID>\Software\Microsoft\Protected Storage System
Provider\<yourSID>
so the same but without 'data', then I can tell you that only SYSTEM
has permissions. What does that mean? That even me as admin I have no
rights to see the whole key?
Does the 'data'of the key mean the data that I can see in regedit as:
(standard) REG_SZ (no value set) ?

>> Hidden value :
>> <samekey>
>> -> migrate
>
>So was the registry key really hidden? Well, not if you were logged on
>as an administrator. When you used regedit.exe, did you find that key
>or not? Select the key:
>
>HKUSR\<yourSID>\Software\Microsoft\Protected Storage System\<yourSID>
>
That is what I did. :-)

>Right-click on it and change permissions to add the Administrators group
>(presumably you are logged in under an admin-level account which you
>would need to be changing permissions). Give full control to the
>Administrators group.

Goddamn... this does not work. Ik tried to add the Administrators
group but after clicking on o.k. it does not add it to SYSTEM that
already has the permissions. I tried it also with my more personal
usersname under which I do have the necessary permissions for the 'one
step higher' key, but it is refused ('Name not found', The object with
the name (etc.) does not come from a domain that belongs to the
dialogue window Choose location, and thus is invalid.)

>Voila, now the data item named "migrate" shows
>up.

Alas...

>Just because you are an administrator doesn't mean you are
>automatically given permission to everything. The reason is that you
>could shoot yourself in your own foot and make the OS unbootable by
>deleting some critical keys that even admins need to be very careful in
>deleting or editing. Hiding because of permissions should not be
>considered rootkit behavior. Also, that data item has a value, not a
>path to an executable.
>
I see

>Hiding by permission is considered normal behavior, especially regarding
>security mechanisms. When you, er, Avira said it was hidden, I thought
>it might be the old trick of using null characters in the key's name
>which makes it impossible to delete that key or get into the subkeys
>(because of a quirk in the Win32API on parsing the key's name).
>SysInternals has their RegDelNull utility for that old trick
>(http://technet.microsoft.com/en-us/sysinternals/bb897448.aspx). This
>one deletes those types of deliberately malformed named registry keys.
>I don't remember its name but another utility simply strips out the null
>characters to leave the registry key so you could then drill down inside
>of it.
>
Eh, this goes a little bit to far for me I'm afraid.

>That Avira products generate false positives is not rare or unknown.
>While their anti-virus program has a nice high coverage rate for
>detecting pests, they also generate too many false positives.
>
Indeed, I am aware of Avira's reputation as to false positives.

>This registry key is part of Microsoft Pstore (Protected Data Storage);
>see http://msdn2.microsoft.com/en-us/library/bb432403.aspx. Pstore was
>dropped in Windows Vista. The keys are still there but set to
>read-only. In Windows Vista, they moved to DPAPI (see
>http://msdn2.microsoft.com/en-us/library/ms995355.aspx) which has been
>around since 2001 starting in Windows 2000. Dropping Pstore is why some
>applications won't work correctly under Vista, like Outlook 2002 which
>will always prompt for the account logins the first time Outlook
>connects to those servers (it caches up the login credentials during
>that Outlook session).

Interesting, though I do not work with Vista myself yet.

Thanks for reacting!

Massimo

Similar ThreadsPosted
McAfee virus removal service - Genuine? February 27, 2008, 3:19 am

The site map in XML format XML site map

Contact Us | Privacy Policy