Tuesday, November 01, 2005

RootkitRevealer

After my post yesterday on SysInternals and listening to the RootKit episode of Security Now, I decided to give RootkitRevealer a whirl on my system. It turned up a slab of hidden registry class ID keys underneath HKLM\SOFTWARE\Classes\CLSID:

{47629D4B-2AD3-4e50-B716-A66C15C63153}
{604BB98A-A94F-4a5c-A67C-D8D3582C741C}
{684373FB-9CD8-4e47-B990-5A4466C16034}
{74554CCD-F60F-4708-AD98-D0152D08C8B9}
{7EB537F9-A916-4339-B91B-DED8E83632C0}
{948395E8-7A56-4fb1-843B-3E52D94DB145}
{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}
{DE5654CA-EB84-4df9-915B-37E957082D6D}
{E39C35E8-7488-4926-92B2-2F94619AC1A5}
{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}
{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}


I was mildly worried and spent a bit of time tracking down these keys. I think I can say pretty definitely what they're for now; it's Pinnacle Studio 9 hiding their registration keys. Irritatingly, Studio doesn't handle logging in as a non-admin properly, either - every time I start it I have to click the little message that says "Don't show this screen again".

Icerocket tags