HKLM\Security\Policy\Secrets rootkits

Just discovered that with RootKit Revealer and I'm sure it was not there a couple of weeks ago:

HKLM\Security\Policy\Secrets\SAC*  Key name contains embedded nulls

HKLM\Security\Policy\Secrets\SAI*  Key name contains embedded nulls

Of course these keys are not visible with RegEdit

Could it be the result of some software (Cryptainer, Outpost) hiding the keys or of some malware?

Any advise will be appreciated

Hervé

 

 

Thanks a lot..after investigating with possible "culprits", these legitimate keys appear to be written by the Spy Sweeper software.

Hervé

 

Hello.
New on the forum.
I have just the same detections found this morning:
Full LOG obtained with RootkitRevealer 1.71 on Windows XP Home SP2:

HKLM\SECURITY\Policy\Secrets\SAC*    19/01/2005 11:04    0 bytes    Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*    19/01/2005 11:04    0 bytes    Key name contains embedded nulls (*)

Thanhs to namehto who seems to have already given an answer.
By the way, I don't got Spy Sweeper ...
Have a good week end



Edited by P.SCD - 11 November 2006 at 3:45am

I am just wondering if these have been there all along, but never been picked up by the earlier versions of RKR

This has been confirmed. RKR 1.71 evidently now checks the security hive.

Ditto  here ...

These two keys seem to be resident in XP .

I took alarm to them at 1st , but based on the responses here am releived .

Heres something interesting though ,

I scanned a clients troubled PC exhibiting the " haunted house " effect , and she says it showed 10,000 plus discrepencies !

I havent been on-site yet ( it will be friday the 17th ) to see for myself . Her Boss told me when I asked him weeks ago the he hasnt installed any "ghost-ware" .  Yet there are lots of anomalies that I cant explain . Get this - today during the scan , she says he was hanging out near her and her computer , glancing at the monitor a lot and looking quite suspicious as the scan built-up it results . I think I have the bastard caught . Im billing them hundreds of dollars if I indeed find traces or evidence of the type of Ghost-ware he has been PROVEN to run on his own computers .  He has cost me lots of time and effort trying to root-out ( no pun ) problems on this particular machine . Am I fair for punishing him for his stunts if I can determine indeed he has back-doored this machine for whatever reason ? I mean , he denied doing this type of thing when asked , so Ive been misled . He also never looked me directly in the face when I asked him either . Oh Im so pissed ! 

They have money ( real estate brokers ) , and Ive wasted so much time fixing and re-fixing stuff , just to have unexplainable things changing after Im done . She IS his employee , but honesty is all I asked for .  Damn him .