Announcement

Collapse
No announcement yet.

Odd behaviour

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Odd behaviour

    Operating System: Windows XP SP 2
    Burning Software: Nero 6.6.0.16
    Anti-virus Software: nn
    DAEMON Tools Version: 3.47

    I have since some time problems that my mouse is dragging and dropping without me invoking that. No Antivirus software found something. So I started by myself reserching and found something odd directly after I installed Daemon-Tools 3.47 in my test enviroment: With the installation of the drivers (after reboot) is a registry key created that is invisible to Win32 applications. You could even not create it by using Win32 API functions. I found it by using Windows native API at
    Code:
    HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40
    The \0 at the begin make it invisible and unaccessable to Win32.

    If you try to delete HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg in regedit you will get an error, even if your rights are sufficent. This is a typical error you get with these non-Win32 entries.

    These hidden registry items are typical used by rootkits, which was the reason to look for them. I do not want to say that daemon tools contains a root-kit, but the problems with my mouse are gone, if I remove daemon-tools. This mouse behaviour could be used to install via an old IE6 error unwanted software so it is not only odd.

    I ask kindly for comments on this finding.

  • #2
    Operating System: Win XP SP2 with all Pre-SP3 patches
    Burning Software: Nero 7 and ISORecorder v2B2
    Anti-virus Software: NOD32, SAV 10 Corporate backup.
    DAEMON Tools Version: 3.47

    That key cannot be deleted because it is the virtual drive that you have set in DT - I have the same key, along with 0jf41, 42, and 43 (because I have 4 drives). Since the drives are at a low level, you cannot delete the key when the drive is active, and vice verse, the key should not be there if you disable *all* drives.

    That being said, however, I would also suggest that you re-download DT just in case something has infected the copy that you have - but again, I seriously doubt that this key shows any sort of rootkit infection.

    In fact, here is a registry export of the cfg key:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg]
    "khjeh"=hex:90,01,00,00,cf,84,16,14,2f,ec,73,73,52,99,36,fa,1c,81,cf,db,4d,7d,\
      a8,b7,6f,1c,77,0d,96,d8,ba,b7,41,b1,82,cb,10,b7,a1,2f,34,49,a2,c2,18,f1,44,\
      12,f1,86,ad,f1,26,be,50,20,a7,ae,ac,16,0e,33,b2,39,78,9e,fc,38,d9,92,ca,94,\
      6b,a8,4a,58,22,4e,86,63,ed,b6,1e,08,4c,5e,e7,aa,78,d9,06,c9,14,9c,a8,e9,d5,\
      9a,4b,4f,32,be,9f,b1,23,bf,0e,d6,da,a3,42,ea,84,88,39,f1,75,4c,4b,62,57,05,\
      e6,2c,be,4d,f5,a2,49,3b,27,9d,f8,4c,79,31,7c,34,d4,10,c0,5e,88,6c,79,25,b8,\
      6a,0e,b2,6a,ed,ef,e0,51,fa,d6,25,f2,dd,60,d3,b5,eb,41,b9,06,59,d3,3e,7e,d9,\
      4a,2b,bc,f7,15,1a,35,8a,54,f7,22,45,20,02,48,a6,7c,95,61,5e,dd,b6,ef,f1,9a,\
      ff,ca,c0,eb,8e,44,48,22,7d,57,72,4c,33,77,16,9d,19,b6,91,9f,38,9f,4e,46,0a,\
      5c,66,71,d0,d9,16,40,89,eb,11,a4,64,fd,19,a8,ff,5f,94,e1,86,c2,f3,f6,d0,19,\
      de,17,95,d0,f4,be,06,57,1d,28,ad,9a,43,e9,d6,63,c3,9b,af,bb,a9,92,be,42,00,\
      9d,a0,cb,09,bc,0e,58,f5,e8,41,48,88,a4,7b,4d,02,c5,99,58,cc,02,a8,37,b6,93,\
      d8,bb,c3,8a,95,19,02,f4,6c,05,30,85,4a,bf,1e,c7,ef,57,1b,6e,cd,24,f0,79,90,\
      1e,1d,28,24,8d,c9,ec,39,e2,e1,10,35,84,a2,69,5f,c8,7e,de,36,16,c0,5f,55,bc,\
      17,86,3e,61,6c,d0,f4,3f,ff,91,be,bb,a7,43,24,eb,7b,3a,89,67,74,05,62,ed,93,\
      84,45,8e,38,d0,70,35,71,8c,86,24,c1,cd,cf,e3,8e,6a,6b,bf,d8,5b,96,e2,cc,d2,\
      15,d9,b6
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf41]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf42]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf43]
    HTH
    http://www.calendarofupdates.com | http://sevenforums.com

    sigpic

    Comment


    • #3
      Originally Posted by johngalt
      That being said, however, I would also suggest that you re-download DT just in case something has infected the copy that you have - but again, I seriously doubt that this key shows any sort of rootkit infection.
      Thanx for your explaination. I have tried to follow your explainations and it seams to be correct. Currently I do not understand why the entry disapeared sometimes without using the drive, which was the reason for my misdetection.

      I have redownloaded DT and tested it of cause. The problem with the mouse remains if DT is installed. If it is a "Rootkit", it is a very friendly one: if I deinstall DT also the Mouse problem seams to disapear. I was not able to find any ports opened. So I do not think this is a "rootkit", never theless it is a security problem if it really caused by DT.

      :-glup

      Comment


      • #4
        O, so having established that it is not an infection, per se, of DT, the next thing to analyze is to see if possibly that the IRQs being used by the two devices are the same, causing 'input' form one to affect the other....

        Theoretically this would mean that if you were to load CD images in DT and then try to run them moving the mouse would (possibly) make the images crash as well....

        However, if it is not an IRQ problem, then I have no idea *why* this is happening.

        For further clarification what kind of mouse are ya using and what (if any) 3rd party drivers for ti are being used?
        http://www.calendarofupdates.com | http://sevenforums.com

        sigpic

        Comment


        • #5
          Originally Posted by johngalt
          Theoretically this would mean that if you were to load CD images in DT and then try to run them moving the mouse would (possibly) make the images crash as well....
          This never happened until now
          I looked in the device manager ("Resources by Type") and found no double usage of a IRQ. But I wonder if a virtual device like DT uses a IRQ at all.

          Originally Posted by johngalt
          For further clarification what kind of mouse are ya using and what (if any) 3rd party drivers for ti are being used?
          I use only PS/2 attached Mouse devices. I have tested different Microsoft devices: cable, wireless, ball or optical. I use the Intellipoint device driver.
          I do not know what you mean by "ti", but there are no other pointing devices installed.

          :-glup

          Comment


          • #6
            I didn't think the IRQ idea would pan out for the same reason - I was not sure they would be using one. Nevertheless, it was worth a shot.

            Since they are all PS/2 style mice and you are having a problem, have you considered borrowing a USB mouse to eliminate the drive conflict? Although this too is far fetched since you say it only started recently.

            it was a mistype of "it".
            http://www.calendarofupdates.com | http://sevenforums.com

            sigpic

            Comment

            Working...
            X