 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows Me / System Tools / November 2005Cross referencing Sony rootkit cloaked CLSID WinXP registry keys
How do mere mortals find the actual "product owner" of scores of cloaked CLSID registry keys which the SysInternals rootkit revealer revealed? The background on this simple question is lengthy (and in the public record already) - essentially, I ran Mark Russinovich's SysInternals rootkit decloaker ( http://www.sysinternals.com/utilities/rootkitrevealer.html ) which found scores of cloaked Windows XP registry keys & files containing a universally unique identifier (UUID) in the form of an 8-4-4-4-20 hex class id which I still don't now know what to do with. Here is just one example cloaked CLSID key I am trying to figure out what product line it belongs to. - HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153} \InprocServer32* 6/16/2004 9:19 PM 0 bytes Key name contains embedded nulls (*) To find the product associated with that unique class id, I searched the Microsoft CLASSID web site http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclas sid.mspx but I didn't find any lookup table cross referencing these unique 40 hex characters to a unique product line. What am I missing? Does such a cross-reference table actually exist? How are we supposed to figure out the product owner of these 40 character hex class ids? Thank you in advance for your assistance to me and all with this question, Pamela Fischer Pamela if the Root kit revealer found anything then I would reinstall. On this system which doesn't do much on the Net it came up empty. As for the answer to your question you could look at the file the CLSID pertains to in the registry. Then go to that file and right-click choose Properties and if there is a version tab read the copyright holder. -- George Hester _________________________________ > How do mere mortals find the actual "product owner" of scores of cloaked > CLSID registry keys which the SysInternals rootkit revealer revealed? [quoted text clipped - 15 lines] > To find the product associated with that unique class id, I searched the > Microsoft CLASSID web site http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclas > sid.mspx > but I didn't find any lookup table cross referencing these unique 40 hex [quoted text clipped - 7 lines] > Thank you in advance for your assistance to me and all with this question, > Pamela Fischer > Look at the file the CLSID pertains to in the registry. > Then go to that file and right-click Properties. > If there is a version tab read the copyright holder. Hi George Hester, In a sane world, this would be our first logical choice. However, the makers of Pinnacle Studio (like the makers of the Sony ineptware cloaking) have taken advantage of an exploit of the Microsoft Windows XP operating system to disable this simple sane lookup. When we navigate to the specified key in regedit, we get an immediate error upon clicking on the key. So, even if we know this particular key is cloaked (which the SysInternals rootkit revealer correctly revealed), we can not view the key or the value of the key. Is this cloaking issue getting insane or what? By exploiting this registry weakness, simply assigning Inprocserver32 a 15 character hex number instead of a 14-character hex number, automagically cloaked the software registration keys. We can't even easily remove them! Everywhere we look, we find exploits upon exploits of the Microsoft Windows operating systems. This one exploit alone took me hours to find out. I have about 19 more to go in my registry. Wish me luck (please help where you can as others will certainly follow). Pamela Fischer Pamela Fischer says... > When we navigate to the specified key in regedit, we get > an immediate error upon clicking on the key. So, even if > we know this particular key is cloaked (which the > SysInternals rootkit revealer correctly revealed), we > can not view the key or the value of the key. > Is this cloaking issue getting insane or what? > By exploiting this registry weakness, simply assigning > Inprocserver32 a 15 character hex number instead of a > 14-character hex number, automagically cloaked the > software registration keys. > We can't even easily remove them! Pamela, this may be a dumb suggestion, but can you Export the keys? If you can export these entries to a file you can look at and edit as text, then maybe you can do something with it. If you can't click on the entry itself, maybe you could click on its parent and export that whole section, then fix it in the .reg file, deleted it from the registry, and then Import the fixed version back in. Well, it was just a thought. > Can you Export the keys? I could not select the InprocServer32 key (due to the exploit previously noted preventing any such action) but I could select the key above it and export that branch as text: File->Export->Save as type->Text files (*.txt)->Selected Branch HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153} The problem was, no matter how many times and ways I tried exporting this key, I just got cryllic looking gibberish of the format: ÿþKey Name: >HKEY_LOCAL_MACHINE\SOFTWAR What are we doing wrong? Why can't we export as text this key without getting gibberish as a result? For every action there is an equally confusing reaction, Pamela Fischer pamelafiischer@yahoo.com says... >> Can you Export the keys? > [quoted text clipped - 17 lines] >For every action there is an equally confusing reaction, >Pamela Fischer I think that's just unicode format, which has two bytes for every character. If you will load that .txt file into Notepad, then Save As, and select ASCII, all of that extra stuff should be removed in the newly saved file. > pamelafiischer@yahoo.com says... > > [quoted text clipped - 27 lines] > ASCII, all of that extra stuff should be removed in the newly saved > file. That unfortunately gave the same output gibberish. Exporting the key as a "reg" file worked but put nothing in the key. --- < start > --- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}] --- < end > --- I'm going to look for a hex editor to see what is inside that file! Pamela Excuse this interruption, but what does all of this have to do with Windows ME ?  SignatureJim, in sunny Brisbane, Oz. Peabody wrote: > pamelafiischer@yahoo.com says... > > [quoted text clipped - 28 lines] > ASCII, all of that extra stuff should be removed in the newly saved > file. That unfortunately gave the same output gibberish. Exporting the key as a "reg" file worked but put nothing in the key. --- < start > --- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}] --- < end > --- I'm going to look for a hex editor to see what is inside that file! Pamela What makes you think Pinnacle is part of this type of vandalism? I know about Sony but I have not heard about Pinnacle. The way you get rid of something like that in the registry is saving a piece of the hive wiithout that particular key and then importing that hive. Those here know better then I do I hope someone can explain how to do it better but that is what you will need to do. -- George Hester _________________________________ > > Look at the file the CLSID pertains to in the registry. > > Then go to that file and right-click Properties. [quoted text clipped - 28 lines] > > Pamela Fischer |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.