Author |
Topic |
|
sagy
New Member
3 Posts |
Posted - May 24 2005 : 08:15:12 AM
|
Hi,
running Rootkit Revealer of Sysinternals.com on a PC with VisualAssist X installed returns a hit on a suspiciously formatted registry entry. Crosschecking for apps that are responsible for this I found evidence that it might be VisualAssist-related:
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\-?*AEvents 13.04.2004 18:54 0 bytes Key name contains embedded nulls (*) [-?* replaces the special character sequence containing the null byte]
The effect of the null byte insertion is that it cut's of the key name when accessed through the Windows API, e.g. you can't see the key's name in regedit, but rather an empty caret.
VisualAssist X was installed on top of VA 6.0 , so I am not sure whether to attribute the key to VA X or 6.0. Can anyone confirm this key has something to do with VA? I would feel better if I knew where it comes from.
If yes, why the obscure formatting with null bytes? I am a bit picky about this sort of finding...
Thanks for any hints - Bernd
|
|
WannabeeDeveloper
Tomato Guru
Germany
775 Posts |
Posted - May 24 2005 : 09:19:45 AM
|
Hmm.
I have just scanned my system using RootkitRevealer 1.4 and it didn't warn me about any entry from Visual Assist or WholeTomato.
But I'll ask the devs about this, to get some info about that possible key-entry.
From guessing, I'd say it's either a somewhat broken entry in your registry or from VA 6 (which was never installed on my system here).
|
|
Edited by - WannabeeDeveloper on May 24 2005 09:20:06 AM |
|
|
sagy
New Member
3 Posts |
Posted - May 24 2005 : 09:59:32 AM
|
I focus on VA because the timestamp of the key is very close to the installation date of VA, and I verified this on another old harddisk from which I had used VA earlier, same coincidence. Judging from the date, this means that it should be VA6, if at VA all. |
|
|
bugfix
Tomato Guru
Germany
324 Posts |
Posted - May 24 2005 : 12:11:14 PM
|
key looks like "WPAEvents" which is used for windows activation. did you activate your xp w/ some bogus crack?:) doubt that any software will ever touch this key. |
http://www.mf-sd.de |
|
|
WannabeeDeveloper
Tomato Guru
Germany
775 Posts |
Posted - May 24 2005 : 1:08:39 PM
|
I just double-checked on my home-system and bugfix is right. The WPAEvents-Key is responsible for Windows Activation.
So, no Visual-Assist-Involvement at your registry (at least not in the place you mentioned). I won't comment on the bogus crack possibility that possibly corrupted your key... |
|
|
|
sagy
New Member
3 Posts |
Posted - May 24 2005 : 5:51:57 PM
|
It's not the kind of machine that is running on a cracked version . That's part of the reason why I don't like spurious software on it (and rest assured, VA isn't cracked either ). Anyway, the WPAEvents key lives in happy coexistence side by side with the hacked key and looks as clean as it could.
As I mentioned, I also find the problem on an older installation, so it'S something systematic. But taking your word, I will have to look for other suspects, though I can't see them right now...
Thanks for your investigations! Bernd |
|
|
|
Topic |
|