how-to block ads
|
BlaZe X
join:2001-08-07
Brooklyn, NY
| Avira finds hidden registry entries Avira finds two hidden registry objects. Can they be possible rootkits? i tried a google search i haven't found anything on them. I also posted in the avira forums, I didn't really get much input about what it can be. They mentioned a software called studio 9 uses hidden registry entries but I never installed this software. What else could it be?
Heres what it finds:
Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\oaklgcffoomoodagbbadblbhlbffjc
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\naklmdmgnchnoppccdacnndjgjek
[INFO] The registry entry is invisible.
'315899' objects were checked, '2' hidden objects were found. | |
|  | | BlaZe X
join:2001-08-07
Brooklyn, NY
| Re: Avira finds hidden registry entries said by bcastner  :Open Regedit and navigate to: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61} What DLL or other program is referenced there? The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything. Look with regedit under the root key above and see if you can find a reference to something that is searchable. There are no references to this when go to this key. Also trying to open InProcServer32 folder gives me an error - "cannot open InProcServer32: Error while opening key"
said by Trel :Do you use Daemon tools? I do use daemon tools and i know it uses a type of rootkit technology but can they be related to these key? I have used sophos anti-rootkit scanner before and it leads to this key.: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 which I know is related to daemon tools. | |
| | | 
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
| Re: Avira finds hidden registry entries said by BlaZe X :said by bcastner :Open Regedit and navigate to: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61} What DLL or other program is referenced there? The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything. Look with regedit under the root key above and see if you can find a reference to something that is searchable. There are no references to this when go to this key. Also trying to open InProcServer32 folder gives me an error - "cannot open InProcServer32: Error while opening key" said by Trel :Do you use Daemon tools? I do use daemon tools and i know it uses a type of rootkit technology but can they be related to these key? I have used sophos anti-rootkit scanner before and it leads to this key.: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 which I know is related to daemon tools. I'm not sure, I just know Daemon Tools shows up in some scanners. | |
|
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
| said by BlaZe X :Avira finds two hidden registry objects. Can they be possible rootkits? i tried a google search i haven't found anything on them. I also posted in the avira forums, I didn't really get much input about what it can be. They mentioned a software called studio 9 uses hidden registry entries but I never installed this software. What else could it be? Heres what it finds: Starting search for hidden objects. HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F 1F61}\InProcServer32\oaklgcffoomoodagbbadblbhlbffjc [INFO] The registry entry is invisible. HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F 1F61}\InProcServer32\naklmdmgnchnoppccdacnndjgjek [INFO] The registry entry is invisible. '315899' objects were checked, '2' hidden objects were found. Do you use Daemon tools? | |
| 
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
1 edit | Since there is no reference to a PE type of file, the entry is harmless.
It looks to me to be a lookup table. For example, I might use the registry as a scratchpad to hold configuration settings.
It most assuredly is not a rootkit reference, and most assuredly is not an active threat. There is not there, there. The fact that it is hidden is the only interesting thing about it; but there is nothing particularly interesting about that either. If I was using the registry to record, say GUI settings, I likely would hide it so that all those who love to run registry cleaners did not zap the parameter lookup table storage area.
Without a PE reference, there is no harm and no foul.
Take the CLSID: {EB763CD6-EB61-CF33-466E-3849D06F1F61}
And use that value to search HKLM and HKCU to see if there are additional entries that lead to something intelligible.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
| | BlaZe X
join:2001-08-07
Brooklyn, NY | Re: Avira finds hidden registry entries I've searched for that value, there are no other entries that point to anything. I will take your word that its probably not a rootkit and i'm just being a little too paranoid about it. thanks for the help. | |
| |
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
| said by bcastner :Since there is no reference to a PE type of file, the entry is harmless. It looks to me to be a lookup table. For example, I might use the registry as a scratchpad to hold configuration settings. It most assuredly is not a rootkit reference, and most assuredly is not an active threat. There is not there, there. The fact that it is hidden is the only interesting thing about it; but there is nothing particularly interesting about that either. If I was using the registry to record, say GUI settings, I likely would hide it so that all those who love to run registry cleaners did not zap the parameter lookup table storage area. Without a PE reference, there is no harm and no foul. Take the CLSID: {EB763CD6-EB61-CF33-466E-3849D06F1F61} And use that value to search HKLM and HKCU to see if there are additional entries that lead to something intelligible. What do you mean when you say PE? I'm not familiar with that term in this context. | |
| | | | redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
| if the regkey, supposedly, is "hidden", i don't see how you were able to find it in the registry, unless it is not really hidden.. if it is not really hidden, then why did antivir flag it..
i would do a scan with "GMER" and see if it flags anything..
i also think that you should discuss this issue in the avira forum, so that, if there is a problem with antivir's rootkit-scanner, it is brought to their attention.. | |
| BlaZe X
join:2001-08-07
Brooklyn, NY
| Hi redwolfe, I ran a scan with gmer and this is what it found for the registry portion:
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32@oaklgcffoomoodagbbadblbhlbffjc 0x69 0x61 0x6C 0x65 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32@naklmdmgnchnoppccdacnndjgjek 0x6A 0x61 0x69 0x65 ...
---- EOF - GMER 1.0.14 ----
So does this mean that avira is correctly flagging this entry and I should still ignore it? thanks | |
| | | | | BlaZe X
join:2001-08-07
Brooklyn, NY | Re: Avira finds hidden registry entries thanks for the link I have posted my log in castlecops. | |
| | | |
|
