Strange Registry Entry Found by SysInternals RootkitRevealer

  • Thread starter Thread starter Nick B.
  • Start date Start date
N

Nick B.

I just ran a RootkitRevealer utility and it found a strange looking
registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\Ø#›uxQ

RootkitRevealer complained that the key name contained embedded nulls.

In taking a look at the key using Microsoft's Registry Editor, I found
the following entries for this key:

Name Type Data
======= ========= ========================================
default REG_SZ (value not set)
InstallCabFile REG_SZ C:\DOCUME~1\USERNA~1\LOCALS~1\Temp\IXP000.tmp\dxddex.cab

The IXP000.tmp\dxddex.cab directory and file no longer exist.

JV16 Power Tools shows this key as last modified at: 17.09.24, 16:26
So, I did a search using JV16 and found that this registry entry time had
other modifications occur at the same time too, starting with this one:

Root : HKEY_LOCAL_MACHINE
Key : SOFTWARE\Microsoft\Advanced INF Setup\ConnectionConfiguration\RegBackup
Entry : {KEY}
Value : {KEY}
Last modified : 17.09.2004, 16:26

and ending with this one:

Root : HKEY_USERS
Key : .DEFAULT\Software\Microsoft\Advanced INF Setup
Entry : {KEY}
Value : {KEY}
Last modified : 17.09.2004, 16:26

I counted 86 keys that were modified at that same time. So, it looks to me
like it was modified as part of a Windows Update I did. Should I just
ignore it and not worry about it?

Nick
--
 
That key pointing to the users Temp Directory is Microsoft's DirectX setup &
is fine.

JV16 is a Registry Cleaner & other tools:

Registry Manager
Registry Cleaner
Registry Monitor
Registry Finder
Console
Backup Tool
Directory Tool
File Tool

http://www.jv16.org

The latest version costs, but I think this is the Freeware version. If now
its a trial & costs $30

http://downloads.pcworld.com/pub/new/utilities/system_resources_tune_up_/jv16pt_setup.exe

I hope this helps

Crouchie1998
BA (HONS) MCP MCSE
 
Crouchie1998 said:
That key pointing to the users Temp Directory is Microsoft's DirectX setup &
is fine.
Click to expand...

What is fine/normal about it? Why should a key point to something that can
legitimately be deleted? In fact, the directory and file it points to has
been deleted - presumably making this key useless. Also, isn't it unusual
that the key name uses non-ascii characters?
JV16 is a Registry Cleaner & other tools:

Registry Manager
Registry Cleaner
Registry Monitor
Registry Finder
Console
Backup Tool
Directory Tool
File Tool

http://www.jv16.org
Click to expand...

Yes, I know this. I mentioned JV16 because I used it to examine the
registry.
I hope this helps
Click to expand...

Thanks for the reply, but you didn't really answer any of my questions.
Maybe I didn't explain the situation very well?

Nick
--
 
In said:
I just ran a RootkitRevealer utility and it found a strange
looking registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF
Setup\Ø#›uxQ

RootkitRevealer complained that the key name contained embedded
nulls.

In taking a look at the key using Microsoft's Registry Editor, I
found the following entries for this key:

Name Type Data
======= =========
======================================== default REG_SZ
(value not set) InstallCabFile REG_SZ
C:\DOCUME~1\USERNA~1\LOCALS~1\Temp\IXP000.tmp\dxddex.cab

The IXP000.tmp\dxddex.cab directory and file no longer exist.

JV16 Power Tools shows this key as last modified at: 17.09.24,
16:26 So, I did a search using JV16 and found that this registry
entry time had other modifications occur at the same time too,
starting with this one:

Root : HKEY_LOCAL_MACHINE
Key : SOFTWARE\Microsoft\Advanced INF
Setup\ConnectionConfiguration\RegBackup Entry : {KEY}
Value : {KEY}
Last modified : 17.09.2004, 16:26

and ending with this one:

Root : HKEY_USERS
Key : .DEFAULT\Software\Microsoft\Advanced INF Setup
Entry : {KEY}
Value : {KEY}
Last modified : 17.09.2004, 16:26

I counted 86 keys that were modified at that same time. So, it
looks to me like it was modified as part of a Windows Update I
did. Should I just ignore it and not worry about it?
Click to expand...

That particular key appears to be "left over". I have nothing
similar here (W2K). I don't know why it should appear as it does
(characters), unless possibly some corruption occurred during its
creation. If that is true, then that may also be the reason it was
not "cleaned up" automatically. If the key-name actually contained
embedded nuls, most likely the OS registry tools would not let you
see into it. You may want to write to Sysinternals if you can
provide details as Mark and Bryce are still fine-tunning and
improving RKR. I'd also search the local volumes for that
dxddex.cab file and attempt to verify it is really the MS provided
file. There may be a hotfix logfile for this patch/fix in %
systemroot% that *might* have additional clues in it (worth a look
perhaps).

Were it mine, I'd remove the key (if possible) after making
suitable backup and some detailed notes. FWIW and YMMV

You can also just ignore it of course. Often this is the safest
course when in doubt.
 
There was exactly the same question about embedded nulls in this forum a
week ago. System Internals has a C++ example on creating such a key &
deleting it from the registry, but there example leaves behind a registry
key one level up, but that particular one can be deleted using regedit.
Although, a sloppy example.

If you want to delete it then you need to change token privilidges & that
should be enough for you to delete that key

Crouchie1998
BA (HONS) MCP MCSE
 
Mark said:
That particular key appears to be "left over". I have nothing
similar here (W2K). I don't know why it should appear as it does
(characters), unless possibly some corruption occurred during its
creation. If that is true, then that may also be the reason it was
not "cleaned up" automatically. If the key-name actually contained
embedded nuls, most likely the OS registry tools would not let you
see into it. You may want to write to Sysinternals if you can
provide details as Mark and Bryce are still fine-tunning and
improving RKR. I'd also search the local volumes for that
dxddex.cab file and attempt to verify it is really the MS provided
file. There may be a hotfix logfile for this patch/fix in %
systemroot% that *might* have additional clues in it (worth a look
perhaps).

Were it mine, I'd remove the key (if possible) after making
suitable backup and some detailed notes. FWIW and YMMV

You can also just ignore it of course. Often this is the safest
course when in doubt.
Click to expand...

Hi Mark,

I did a search to see what files may contain the string 'dxddex.cab'
and found the following:

MEMORY.DMP in C:\WINNT\
actmovie.exe in C:\WINNT\system32\
actmovie.exe in C:\WINNT\system32\dllcache\
msdxddex.inf in C:\WINNT\inf\

So, it looks like something that was part of a Microsoft hot fix, just
like you suggested. I also did a google search on the string 'dxddex.cab'
and found the following page:

http://support.microsoft.com/?kbid=265092#XSLTH3128121122120121120120

It listed the contents of DxDDex.cab in an Internet
Explorer 5.5 installation list:

Ddexinst.exe 47,616 01/11/99 6.01.05.0111
Ddrawex.dll 40,192 09/17/97 4.71.1112.0
Msdxddex.inf 2,098 01/08/99

It doesn't quite match up, but it's pretty close and I've done many
updates since installing IE5.5.

I'll take your advice and remove it (after backing up my registry just
to be on the safe side).

Thanks for your help!

Nick
--
 
I replied to this user about this point, but he said that he knew & should
have rephrashed the question differently.

Crouchie1998
BA (HONS) MCP MCSE
 
Crouchie1998 said:
I replied to this user about this point, but he said that he knew & should
have rephrashed the question differently.

Crouchie1998
BA (HONS) MCP MCSE
Click to expand...

MarkV's explanation was more understandable to me, but thanks also for
your replies Crouchie1998.

Kind regards,

Nick
--
 
I am looking at it in the point of a programmer, which I am & not from an
operating system side. You are the second person in around a week to ask a
simular question about an embedded null registry key.

The SystemInternals example I was talking about creates a key
(HKEY_LOCAL_MACHINE\Software\SystemInternals\Try To Delete Me!) or something
simular. When you click OK to the message box that is in their example it
deletes the registry key 'Try To Delete Me!, but leaves the SystemInternals
one behind. For me, that is sloppy programming.

For me to write an application to delete that registry key you wanted
deleted would take me less than 5 minutes.

Crouchie1998
BA (HONS) MCP MCSE
 
Back
Top