Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Usage
  New Posts New Posts RSS Feed: Error dumping hive
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Error dumping hive
 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
louiscar View Drop Down
Newbie
Newbie


Joined: 25 April 2009
Online Status: Offline
Posts: 5 		  Quote louiscar Quote  Post ReplyReply Direct Link To This Post Topic: Error dumping hive
    Posted: 25 April 2009 at 7:30am
I just scanned my system and ended up with a few things that I investigated and then fixed after creating a restore point.
 
The fixes were embedded nulls which I established were from legit software I no longer had on my system so I removed them using RegDelNull
 


HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 9/27/2008 02:58 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 9/27/2008 02:58 0 bytes Key name contains embedded nulls (*)
 
After rescanning I am getting several errors dumping hive. Whether this was due to running RegDelNull or not I have no idea but I restored the registry and am still getting the following:
 


HKU\.DEFAULT 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-19 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-19_Classes 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-20 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-20_Classes 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-21-1715567821-1409082233-839522115-1003 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-21-1715567821-1409082233-839522115-1003_Classes 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKU\S-1-5-18 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\HARDWARE 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SAM 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SECURITY 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SOFTWARE 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SYSTEM 1/1/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
 
Note the date stamp (did they have computers back then)? Smile
 
At this point Status bar shows:
 
Dumping HKLM SYSTEM hive
 
 ... then an error (see below)
 
Edit:
 
What I forgot to mention is that on the first scan RKR stopped eventually with an error:
 
"An error occurred in CMD.EXE that prevents Rootkitrevealer from acurately analysing your system.
If CMD.EXE is available on your system please report the failure."
 
and on the second scan eventually I get the same thing.
 
CMD.exe is definitely available, I use it regularly and checked after this message without any problems.
 
Perhaps on the first scan RKR messed something up by terminating abnormally? Either way it seems like it's permanent. 
 
Can anyone tell me what went wrong and how to fix this?


Edited by louiscar - 25 April 2009 at 7:51am
Back to Top
louiscar View Drop Down
Newbie
Newbie


Joined: 25 April 2009
Online Status: Offline
Posts: 5 		  Quote louiscar Quote  Post ReplyReply Direct Link To This Post Posted: 25 April 2009 at 8:36am
Might be worth mentioning after checking a few related threads that I have no detected malware using several scanners and no abnormal problems that others reported such as regedit closing or crashing exporer etc.
 
I decided to run RKR because Services.exe is taking up 640MB or memory and once I had freed this memory using process hacker only to find it eventually returned I then looked at what was happening with Process Monitor at the point where the memory popped back up to 640MB. It showed some FASTIO_READ events at that point which a Google search for FASTIO_READ and services.exe let me to a discussion on rootkits.
 
 
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 26 April 2009 at 5:12am
Hi louiscar,

If you reboot, are you still unable to scan with RKR?  Have you tried another ARK such as Root Repeal?
Daily affirmation:
net helpmsg 4006
Back to Top
louiscar View Drop Down
Newbie
Newbie


Joined: 25 April 2009
Online Status: Offline
Posts: 5 		  Quote louiscar Quote  Post ReplyReply Direct Link To This Post Posted: 26 April 2009 at 3:22pm
Originally posted by molotov

Hi louiscar,

If you reboot, are you still unable to scan with RKR?  Have you tried another ARK such as Root Repeal?
 
Still happens after a reboot. As I say, I restored the registry to see if it was something I had done.
 
I just downloaded rootrepeal which runs ok although doesn't seem to try to load hives. Interestingly it  comes up with MBR rootkit detected on C: - dont' know if that's a false positive or not (guessing that it is).


Edited by louiscar - 26 April 2009 at 4:02pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2009 at 3:23am
What about GMER?

dont' know if that's a false positive or not (guessing that it is)
Interesting... Are you sure?
Daily affirmation:
net helpmsg 4006
Back to Top
louiscar View Drop Down
Newbie
Newbie


Joined: 25 April 2009
Online Status: Offline
Posts: 5 		  Quote louiscar Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2009 at 6:09pm
Looks like it's Mebroot rootkit unfortunately
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2009 at 6:20pm
That would of course have some impact on what you are experiencing...
Daily affirmation:
net helpmsg 4006
Back to Top
louiscar View Drop Down
Newbie
Newbie


Joined: 25 April 2009
Online Status: Offline
Posts: 5 		  Quote louiscar Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2009 at 7:41pm
It's certainly the reason for th bloated services.exe. Once I removed the compromising data file it returned to normal size. Just have to deal with the rootkit now.

Edited by louiscar - 27 April 2009 at 7:42pm
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Privacy Statement