dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5272
share rss forum feed


Thug21
Just Chillin'
Premium
join:2005-08-21
kudos:1

3 edits

Hidden registry objects.

Hello,

I recently ran an Anti-rootkit scan with Antivir on my parents PC.

It came up with the some of the below results.

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C6
3153}\InprocServer32\threadingmodel
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C6
3153}\InprocServer32\cd042efbbd7f7af1647644e76e06692b
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C
741C}\InprocServer32\threadingmodel
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C
741C}\InprocServer32\bca643cdc5c2726b20d2ecedcc62c59b
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C1
6034}\InprocServer32\threadingmodel
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C1
6034}\InprocServer32\2c81e34222e8052573023a60d06dd016
[NOTE] The registry entry is invisible.

If I go to one in regedit and locate/click the first mentioned one, I get "Cannot open Inprocserver32: Error while opening key."

If I right click and try to check the security permissions, I get "unable to display security information"

If I do a search for "cd042efbbd7f7af1647644e76e06692b" it's not found.

Nothing else is found by Avira (either rootkit or file scan) and nothing by AVG Anti-rootkit. Do the above objects seem to be potentially malicious?

I have posted this on the Avira forum but I'm a bit worried and could use the expertice on this site as well.

Thank you,

Edit - this is on an admin account on WinXP home (converted years ago from Win ME).


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

2 edits

1 recommendation

You might want to take a look at the nearly two year old CNET forum thread: Spyware, viruses, & security : Have I got a Rootkit?

In that thread, the same CLSID entries that you posted seem to have been determined to belong to Pinnacle Studio 9.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.


Thug21
Just Chillin'
Premium
join:2005-08-21
kudos:1

2 edits
Thank you very much! Studio 9 is indeed on that pc.
I wonder why it makes those "hidden" keys, though.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by Thug21:

Studio 9 is indeed on that pc.
I wonder why it makes those "hidden" keys, though.

That is a question best directed to the programming staff at Pinnacle Systems. DRM and copy protection are two scenarios that pop into my head.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.


Thug21
Just Chillin'
Premium
join:2005-08-21
kudos:1

1 edit
Can't say I'm found of "rootkit drm."

Thanks for the info.

dannyboy 950
Premium
join:2002-12-30
Port Arthur, TX
reply to Thug21
I am kinda curious how the AV was able to see the entries if they were hidden from the system?

I don't doubt anything yer saying just curious what the AV may check and how it does it.


Thug21
Just Chillin'
Premium
join:2005-08-21
kudos:1

4 edits
Avira Antivir has an anti-rootkit/hidden objects scan option for the on demand scanner (in both free & paid versions). That scan is what found these little surprises.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Thug21
Let's take the mystery out of these rootkit proggies and the implication that whatever they do find in scanning is some sort of bad thing that has taken over your PC. Seems to me they are all just adding to the paranoia.

Create Invisible Registry Entries in Windows

I came across this neat trick while developing an application that needed to have invisible registry entries. This trick is suitable for software developers, who need to make sure the registry keys and values remain what they set them to and the keys aren’t being messed with.

Nowadays, everyone has access to the registry editor and can modify, delete or add registry keys. This is a great thing, as long as you know how and which registry values need to be modified. Creating an invisible registry key gives you the guarantee that your keys will remain what you set them, and the applications you develop won’t encounter any problems in reading wrong data. If you want to create an invisible registry folder, this is the solution for you!

»www.reviewingit.com/index.php/co···ew/28/2/
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

2 recommendations

said by that web site :

I came across this neat trick while developing an application that needed to have invisible registry entries.
The only application that 'needs' to have invisible registry entries is malware. Writing such code is deceptive by design. Users should reject any software that tries to hide from the owner of the PC.

OZO
Premium
join:2003-01-17
kudos:2
reply to Name Game
It's certainly a regedit's bug. What if I'm using any other registry editor? Then I'll see all of the "hidden" values in the key.


If you concern about hiding a value in registry do followed (and I've got the "trick" watching some of m$'s products in run). When you install your program put thousands of registry keys/values in different places. As you may guess majority of them may be completely meaningless. When program is started query all of them in a random order making hundreds requests per second and doing some modifications in a process. Users who will try to understand them will be simply lost. Computer will run a bit slower, but who cares... Memory is dirt cheap, processors are cheap, HD space is a getting cheaper day by day... Recommend customers to buy a new, contemporary hardware and that's it. If it will become not enough - put tens of thousands records in different places and keep them if user will ultimately decide to run "unwise.exe" (in plain English - uninstall) at the end.

BTW, have you tried to run "regmon" when IE starts? Try it. Have a fun. At the time it loads it makes around 15 thousand requests to registry (just think about it for a sec!) When it starts it even checks all subkeys in HKCU\Software\Microsoft\Windows\CurrentVersion\Telephony\Cards, getting phone numbers and other info for e.g. AT&T Direct Dial Card ("AT&T Direct Dial via 1010ATT1"), Global Card (Taiwan to USA), Telecom New Zealand, etc. Perhaps it's a very important info to load IE properly...

The more developers will employ this practice - the better for those who need to hide something in the registry. I think its obvious. Hi-speed CPU will compensate dealing with that registry trash, won't they?
--
Keep it simple, it'll become complex by itself...


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

1 recommendation

reply to Thug21


The keys are hidden because you don't have permission to read or write to the key.

If you add your account and give yourself permission, you can the see the keys.

It can be a big pain in the butt because there could be more hidden keys revealed as you add permissions, then you have to add and modify your account, sometimes many, many times.

Ran into this trying to delete all of Creative software from my system.

Most the keys are hidden so that only the system and trusted installer can access the keys and malware cant.
Keeps you outta trouble, until you need to remove them.