Author Topic: Strange registry keys  (Read 11464 times)

0 Members and 1 Guest are viewing this topic.

July 24, 2015, 04:07:02 PM

Aruval

  • Newbie

  • Offline
  • *

  • 17
  • Reputation:
    0
    • View Profile
Strange registry keys
« on: July 24, 2015, 04:07:02 PM »


I would like to know if this keys RK ... are created by Roguekiller

Reply #1July 25, 2015, 09:42:20 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Strange registry keys
« Reply #1 on: July 25, 2015, 09:42:20 PM »
Hi Aruval,

Welcome to Adlice.com Forum.
Yes, theses keys are legit.

Regards.

Reply #2July 26, 2015, 08:34:15 PM

Aruval

  • Newbie

  • Offline
  • *

  • 17
  • Reputation:
    0
    • View Profile
Re: Strange registry keys
« Reply #2 on: July 26, 2015, 08:34:15 PM »
Hi Curson

Ok, thanks, I know that Roguekiller was to suspect first but the problem is that RK is "Roguekiller" or the very non specific "Registry Keys"
and more what made me believe to the possibility of a non detected malware, is that RK reported me a threat on one of theses keys, so I thought that if this was RK's keys, how can it report a malware suspicion on it ???

Reply #3July 26, 2015, 08:36:27 PM

Aruval

  • Newbie

  • Offline
  • *

  • 17
  • Reputation:
    0
    • View Profile
Re: Strange registry keys
« Reply #3 on: July 26, 2015, 08:36:27 PM »
and also reproduction tests did not work, not able to get theses keys again
I wonder if it is not keys that appear only when process is terminated before the end ...

Reply #4July 28, 2015, 12:32:33 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Strange registry keys
« Reply #4 on: July 28, 2015, 12:32:33 AM »
Hi Aruval,

Could you please copy/paste RogueKiller full report in your next post ?

Regards.

Reply #5July 29, 2015, 12:16:39 AM

Aruval

  • Newbie

  • Offline
  • *

  • 17
  • Reputation:
    0
    • View Profile
Re: Strange registry keys
« Reply #5 on: July 29, 2015, 12:16:39 AM »
For what I said, I had exactly this in report :


HKEY_LOCAL_MACHINE\RK_Software_ON_E_6E77\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1



Reply #6July 29, 2015, 12:20:29 AM

Aruval

  • Newbie

  • Offline
  • *

  • 17
  • Reputation:
    0
    • View Profile
Re: Strange registry keys
« Reply #6 on: July 29, 2015, 12:20:29 AM »
RogueKiller V10.8.4.0 [Jun 15 2015] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Démarré en  : Mode normal
Utilisateur : Propriétaire [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 06/25/2015  17:33:56

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 11 ¤¤¤
[PUM.Proxy] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8118  -> Trouvé(e)
[PUM.Desktop] HKEY_LOCAL_MACHINE\RK_Software_ON_E_6E77\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Trouvé(e)
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | AntiVirusDisableNotify : 1  -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | FirewallDisableNotify : 1  -> Trouvé(e)
[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | UpdatesDisableNotify : 1  -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Trouvé(e)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1993962763-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: ST3500630A +++++
--- User ---
[MBR] a00744f367fa634becf790b0f95e5a08
[BSP] bf18b79ae6cdd05b7dce09b5c8b55254 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 10244 MB [Windows XP Bootstrap | Windows XP Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 20980890 | Size: 10244 MB [Windows XP Bootstrap | Windows XP Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 41961780 | Size: 10244 MB [Windows XP Bootstrap | Windows XP Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 62942670 | Size: 446203 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )

+++++ PhysicalDrive2: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )

+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] Le périphérique n'est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n'est pas prise en charge. )


============================================
RKreport_SCN_06122015_000640.log - RKreport_SCN_06132015_100018.log - RKreport_SCN_06132015_210827.log - RKreport_SCN_06202015_131708.log
RKreport_SCN_06202015_154437.log - RKreport_SCN_06232015_125922.log - RKreport_DEL_06232015_130424.log

Reply #7July 30, 2015, 12:01:40 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Strange registry keys
« Reply #7 on: July 30, 2015, 12:01:40 PM »
Hello,

Sorry to disturb I can add some information :)

RK_Something are hives from external disks loaded by RogueKiller during a scan.
Like: RK_Software_On_K means "Hive loaded from K:/Windows/system32/config/SOFTWARE"

This is how RogueKiller scans external drives registry (with Honey module), those hives are normally unmounted after the scan, or on close.

EDIT: You may see some others in HKEY_USERS.

Reply #8August 20, 2015, 11:12:39 AM

Aruval

  • Newbie

  • Offline
  • *

  • 17
  • Reputation:
    0
    • View Profile
Re: Strange registry keys
« Reply #8 on: August 20, 2015, 11:12:39 AM »
Yes that is exactly what I had, a SDCard with a Windows PE ... and a custom rescue Windows XP on it.

Reply #9August 20, 2015, 04:11:05 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Strange registry keys
« Reply #9 on: August 20, 2015, 04:11:05 PM »
Hi Aruval,

Thanks for the feedback.

Regards.