Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed - Rootkit Revealer - inprocserver32 entries
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Rootkit Revealer - inprocserver32 entries

 Post Reply Post Reply
Author
Message
gilamonster View Drop Down
Newbie
Newbie
Avatar

Joined: 31 October 2010
Location: MA
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote gilamonster Quote  Post ReplyReply Direct Link To This Post Topic: Rootkit Revealer - inprocserver32 entries
    Posted: 31 October 2010 at 5:17pm
My scan found the following:

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*    2/14/2010 3:06 PM    0 bytes    Key name contains embedded nulls (*)

When I go to the registry to find out what they pertain to I cannot.  The key won't open and offers an error : '...error while opening key'

First of all, is this find cause for alarm?  Can it cause system problems?

I googled this and found that this is a cloaked CLSID.  THere has been mention that this can be removed by saving the registry, hacking the SOFTWARE file with a HEX editor and changing a value.  Then one restores this.  Although I don't think it pertains to my question, here is the information:

However, according to the SysInternals web page
(http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&get=last#6776
), there is a possible method to remove this particular cloaked registry
entry.

1. Make a backup of the WinXP registry with ERUNT (whatever that is).
2. Open the backed up software file/hive with a hex editor.
3. Search for the entries {47629D4B-2AD3-4e50-B716-A66C15C63153}.
4. In the text panel, note the textstring “InprocServer”.
5. Note the hex value 0F (15) just before that textstring.
6. Change (edit – Overwrite String) this value in 0E (14).
7. Change all similar entries found (as many as 12).
8. Save this “software” file/hive.
9. Restore the registry & reboot.
10. Open the registry with regedit.
11. Now you can finally delete the now-uncloaked entries.
12. Optionally, run the registry optimizer NTREGOPT.
13. Reboot and this particular cloaking problem is resolved.

All this work to resolve just one cloaked CLSID tells me life would be
easier for all of us if we at least had a lookup table for CLSID to
product "owners".
When I looked with a HEX editor after saving the registry, I did not find value '0F' before the text string, 'inprocserver32'

I am wondering if anyone has tried this and perhaps found some other hex value to allow one to open and delete?


Thanks!!!
Gilamonster
Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 763
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 31 October 2010 at 5:52pm
Quote When I go to the registry to find out what they pertain to I cannot.  The key won't open and offers an error : '...error while opening key'
Thats because the key name contains an embedded null.

Assuming you are using xp 32 bit, you could use GMER's registry viewer. That will show the contents of those keys. If you decide to delete them, backup your registry first with something like ERUNT, then use Sysinternals RegDelNull to remove them.

If nothing strange is happening with your computer, I'd just leave them alone.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down