1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Resolved Swearware in the registry

Discussion in 'Security and Privacy' started by jpChris, 2011/03/29.

  1. 2011/03/29
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Hi all,

    I did a RootKit scan and it found almost 30 of these entries:

    HKLM\SOFTWARE\Swearware\backup\winsock2 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 3/19/2011 12:35 PM 0 bytes Security mismatch.
    HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 3/19/2011 12:35 PM 0 bytes Security mismatch.

    etc., etc., etc. The dates seem to coincide with the Bytescout debacle a couple of weeks ago.

    I've found it's from ComboFix, SmitfraudFix, etc. However, there's no consensus as to what to do with these entries, or if they really are CF, SF related.

    I know that Avast and SpyBotSearch & Destroy scan for Rootkits and I only found the Swearware entries in the registry when I was looking for something else.

    OK to delete the Swearware folder from the registry?
     
    Last edited: 2011/03/29
    jpChris,
    #1
  2. 2011/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Those entries are safe.
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/03/29
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    So it's OK to delete them, broni?
     
    jpChris,
    #3
  5. 2011/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No. You can safely leave them alone.
     
    broni,
    #4
  6. 2011/03/29
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    OK, thanks.
     
    jpChris,
    #5
  7. 2011/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Sure thing :)
     
    broni,
    #6
  8. 2011/03/29
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    A thought: Every time I do a RootkitReveal, all these entries will be in there obfuscating my braim. Would it be safe to export then delete — providing nothing gets messed up?
     
    jpChris,
    #7
  9. 2011/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Unfortunately, I'm not sure about consequences, if you remove them.
    Registry (if nothing malicious detected) is better to be left alone.
     
    broni,
    #8
  10. 2011/03/29
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Then I'll follow "Plan A" and export\delete one at a time, see if there's any problems and continue if not.
     
    jpChris,
    #9
  11. 2011/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go ahead, but consider yourself as being warned.
     
    broni,
    #10
  12. 2011/03/29
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Duly noted.
     
    jpChris,
    #11
  13. 2011/04/03
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Update

    Swearware is ComboFix stuff. I followed "Plan A" and everything is OK. :D
     
    jpChris,
    #12
  14. 2011/04/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #13

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...