Jump to content
  • 0
gi7omy

Rootkit - WARNING

Question

Just when you thought it was safe to go back in the water

 

http://searchwindowssecurity.techtarget.co...1224912,00.html

 

I ran the sysinternals scan - and found it flagged two entries in the registry:

HKLM\SECURITY\Policy\Secrets\SAC\*

HKLM\SECURITY\Policy\Secrets\SAI\*

 

Both showing 'keyname contains embedded nulls'(*)

 

I did a search on these and they seem to be harmless (they're part of the installed OS) but then, so's Alexa

 

How serious the threat is I don't know but it looks as if we're going to have to run an additional sweep (on top of A/V and Malware ones)

Share this post


Link to post
Share on other sites

23 answers to this question

Recommended Posts

  • 0

I just picked up NAV2007 which is supposed to also detect and remove rootkits. Hopefully it won't screw things up with false positives.

 

I never had a need and always wondered about the FSecure Blacklight and passed when they warned it was a beta and might cause havoc. Beta is a four letter word after all....I try to pass.

 

 

Always something to worry about, isn't there?

Share this post


Link to post
Share on other sites
  • 0

".... just picked up NAV2007 which....."

 

I am running NIS2006 on all my computers and there is only a couple of months left on a couple of the subscriptions for their updates. I have been thinking about buying the new NIS 2007, but have heard that it is a hog for resources, so I'm not sure. You're running just Norton Antivirus, so does just running the anti virus program alone keep all the other malware, spam etc. out of your computer ??

 

Frank...

Share this post


Link to post
Share on other sites
  • 0
".... just picked up NAV2007 which....."

 

I am running NIS2006 on all my computers and there is only a couple of months left on a couple of the subscriptions for their updates. I have been thinking about buying the new NIS 2007, but have heard that it is a hog for resources, so I'm not sure. You're running just Norton Antivirus, so does just running the anti virus program alone keep all the other malware, spam etc. out of your computer ??

 

Frank...

 

I have "heard" Norton is hog for resources for years. Never had a problem. Currently running NIS2007.

Share this post


Link to post
Share on other sites
  • 0
Intel Core 2 Duo E6700 2.66ghz 3GB DDR2-800 memory

 

Not to be critical Marlin, but how could you tell on your rig!

 

cd

Share this post


Link to post
Share on other sites
  • 0
".... just picked up NAV2007 which....."

 

I am running NIS2006 on all my computers and there is only a couple of months left on a couple of the subscriptions for their updates. I have been thinking about buying the new NIS 2007, but have heard that it is a hog for resources, so I'm not sure. You're running just Norton Antivirus, so does just running the anti virus program alone keep all the other malware, spam etc. out of your computer ??

 

Frank...

The anti virus alone doesn't cover malware,spam etc.

I recently ditched Norton AV and installed AVG Anti Malware. Check it out along with alternatives to all Norton products at

http://www.grisoft.com/doc/5/lng/uk/tpl/tpl01

Share this post


Link to post
Share on other sites
  • 0

Currently I'm running Symantec Corporate A/V, Adaware and Spybot and now also Sophos rootkit (three dedicated programs that have their own function and each do it well)

Share this post


Link to post
Share on other sites
  • 0

I could tell on mine... I got rid of Norton's when my subscription ran out. Boots much faster. Some applications launch faster, too. At the moment, I'm running AVG free 7.5 and MS Defender.

 

There are also certain 'risky' activities like staying away from websites that are real popular by teens and tweens. A haven for spyware and pop ups. I NEVER open attachments from anyone I don't know.

Share this post


Link to post
Share on other sites
  • 0
Not to be critical Marlin, but how could you tell on your rig!

 

cd

 

I haven't always had this rig, I have run Norton on and 1.0ghz up to 3.6ghz. Only in the past couple of years have I come down with upgrade mania. :) And you know I do enjoy it so.

 

Also, I just ran Sysinternals newest Rookit Revealer myself. Came up with the exact same messages, plus a couple for Symantec due to hiding files from the API. When I looked at the registry entry they mentioned. There is nothing there. It is empty under HKLM\Security. I am wondering if they are flagging it because it is empty?

Share this post


Link to post
Share on other sites
  • 0

"You're running just Norton Antivirus, so does just running the anti virus program alone keep all the other malware, spam etc. out of your computer ??"

 

I am well aware of what NIS takes care of, so I guess I should have asked my question a little better. What I was suggesting was if one just runs an anti-virus program alone without any other security type programs, then they must be pretty lucky to not have all the other malware, spam, spybot etc. stuff coming at you. So far my NIS2006 is taking very good care of my computer. The only thing that I really don't like is that there are many options that you must set manually to keep some of the attacks from getting on your computer. One good example is spam.

 

Frank...

Share this post


Link to post
Share on other sites
  • 0
" One good example is spam.

 

Frank...

 

For that sucker I run Mailwasher - and bounce the spam right back and also report them to spamcop.

Share this post


Link to post
Share on other sites
  • 0
".... just picked up NAV2007 which....."

 

I am running NIS2006 on all my computers and there is only a couple of months left on a couple of the subscriptions for their updates. I have been thinking about buying the new NIS 2007, but have heard that it is a hog for resources, so I'm not sure. You're running just Norton Antivirus, so does just running the anti virus program alone keep all the other malware, spam etc. out of your computer ??

 

Frank...

 

Well, it comes down to me being chickensh*t about the computer and the various innerds.

I've just been running NAV for so long (latest 2006, about to change to 2007), that I'm actually afraid to uninstall it. I know, there's even a tool provided by Norton but I just don't need anything broke right now as

I'm in the middle of too many things.

I considered FSecure but I don't know anyone running it and I don't feel like testing it out.

But yes, NAV does hog a system down. It is supposed to keep out spyware and the like (not spam) but I run Spysweeper along side it anyway, but I might stop though cause in two years of using it, all I've blocked are some ads and "tracking cookies"....big whoop. Maybe I should knock on wood.

 

On the plus side, I find that if and when it's really necessary to get every bit of resourse, Norton can be shut down pretty well. I actually find Spysweeper pretty intrusive. Maybe I'll try the Adaware realtime version...

 

As a side note though, I don't understand why Norton wants to charge me $40 to renew my subscription for 2006, when I bought 2007 for $15 (after rebates and discount). Seems like a waste.

Share this post


Link to post
Share on other sites
  • 0
For that sucker I run Mailwasher - and bounce the spam right back and also report them to spamcop.

 

At home im a AVG Free 7.5 antivirus and AVG Free spyware 7.5 and spybot man

and at work we are a Trendmicro office scan house

Edited by The Highlander

Share this post


Link to post
Share on other sites
  • 0
As a side note though, I don't understand why Norton wants to charge me $40 to renew my subscription for 2006, when I bought 2007 for $15 (after rebates and discount). Seems like a waste.

I think the assumption is if you try it, you'll keep it.

 

I got Norton SW/FW 2005 for free after rebates (WinXP); I bought a 2nd copy for computer #3 (Win2K). (Computer #1 has Norton SW 2002, and FW 2005 (different copy) which ran out last weekend, and the Win98 SE isn't expected to be online again.)

Share this post


Link to post
Share on other sites
  • 0
For that sucker I run Mailwasher - and bounce the spam right back and also report them to spamcop.

 

I have used Mailwasher for years. Best spam bouncing software that I have seen.

Share this post


Link to post
Share on other sites
  • 0

Neil, Bruce and Daithi, you talked me into it. I'll have to give "mailwasher" a try, as I'm really not that fond of how NIS2006 takes care of my spam. :) My only thought is how much of the good guys does it catch also ?

 

Frank...

Share this post


Link to post
Share on other sites
  • 0
Neil, Bruce and Daithi, you talked me into it. I'll have to give "mailwasher" a try, as I'm really not that fond of how NIS2006 takes care of my spam. :) My only thought is how much of the good guys does it catch also ?

 

Frank...

 

You preview your mail from your desktop, Frank. You create friends lists and a block list. The e-mails still show, but they don't come into your computer. You can pick and choose what to delete, or what to delete and bounce. It works well. I can count on one hand the number of times that I checked my e-mail from within the browser, in the past 5 years, or more.

Share this post


Link to post
Share on other sites
  • 0

So O.K. Bruce, but how does the program continue to work with my Norton NIS2006 and the "Outlook Express" where I get my e-mails now ?? I'm pretty much doing what you are suggesting with my NIS2006. When I get an e-mail I can click it and let Norton know that it is spam as far as Outlook express is concerned and then go into the NIS2006 program and add it to my spam blocked list.

 

Frank...

Share this post


Link to post
Share on other sites
  • 0
I ran the sysinternals scan - and found it flagged two entries in the registry:

HKLM\SECURITY\Policy\Secrets\SAC\*

HKLM\SECURITY\Policy\Secrets\SAI\*

 

Both showing 'keyname contains embedded nulls'(*)

 

I did a search on these and they seem to be harmless (they're part of the installed OS) but then, so's Alexa

 

At the risk of being ON topic, what OS has installed these two registry entries Dáithí ? You don't seem to name yours in your sig. Alexa isn't part of the OS, is it?

 

Were they flagged as parts of a rootkit, or is it just that the Sysinternals program didn't like the keynames?

Share this post


Link to post
Share on other sites
  • 0

Registry entries on XP SP2 Brendon - they got flagged as having 'null' values. The free Sophos tool didn't flag them at all

 

And yep, Alexa gets installed along with IE6

Share this post


Link to post
Share on other sites
  • 0
So O.K. Bruce, but how does the program continue to work with my Norton NIS2006 and the "Outlook Express" where I get my e-mails now ?? I'm pretty much doing what you are suggesting with my NIS2006. When I get an e-mail I can click it and let Norton know that it is spam as far as Outlook express is concerned and then go into the NIS2006 program and add it to my spam blocked list.

 

Frank...

 

I'll pm you a picture when I get some mail. Mailwasher uses any mail program you want. I use Outlook Express.

Share this post


Link to post
Share on other sites
  • 0

That Mailwasher looks good to me. I get very little spam but times change...

 

Thanks for bring it up.

Share this post


Link to post
Share on other sites
  • 0
When I looked at the registry entry they mentioned. There is nothing there. It is empty under HKLM\Security. I am wondering if they are flagging it because it is empty?

 

Regedit does not show those entries (it hides the subkeys of security). Try regalyzer from Safer networking:

 

http://www.safer-networking.org/en/download/index.html

 

(note that is a beta).

 

But in a sense you are right: both \Secrets\SAC and \Secrets\SAI are empty. However leave them alone :-).

Edited by jeanrosenfeld

Share this post


Link to post
Share on other sites
  • 0
But in a sense you are right: both \Secrets\SAC and \Secrets\SAI are empty. However leave them alone :-).

 

I did - I checked via google to find out what they were first :)

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

×