Topic 'Re: Avira finds hidden registry entries' in forum 'Security' - dslreports.com http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20375906 en Sat, 11 Feb 2012 06:08:24 EDT Sat, 11 Feb 2012 06:08:24 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20391966 http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20391966 Sat, 26 Apr 2008 17:18:39 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20390048
»www.castlecops.com/f233-Rootkit_···ons.html

alternatively, you could post in DSLReports' "cleanup" forum and see if any of the experts, there, have any suggestions.. here is a link for the forum:

»Security Cleanup]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20390048 Sat, 26 Apr 2008 05:37:08 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20389786
---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32@oaklgcffoomoodagbbadblbhlbffjc 0x69 0x61 0x6C 0x65 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32@naklmdmgnchnoppccdacnndjgjek 0x6A 0x61 0x69 0x65 ...

---- EOF - GMER 1.0.14 ----

So does this mean that avira is correctly flagging this entry and I should still ignore it? thanks]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20389786 Sat, 26 Apr 2008 02:33:12 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20385860
i would do a scan with "GMER" and see if it flags anything..

i also think that you should discuss this issue in the avira forum, so that, if there is a problem with antivir's rootkit-scanner, it is brought to their attention..]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20385860 Fri, 25 Apr 2008 13:15:21 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20381739 »en.wikipedia.org/wiki/Portable_Executable

Sorry for the use of jargon.]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20381739 Thu, 24 Apr 2008 18:53:40 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20381343 said by bcastner:

Since there is no reference to a PE type of file, the entry is harmless.

It looks to me to be a lookup table. For example, I might use the registry as a scratchpad to hold configuration settings.

It most assuredly is not a rootkit reference, and most assuredly is not an active threat. There is not there, there. The fact that it is hidden is the only interesting thing about it; but there is nothing particularly interesting about that either. If I was using the registry to record, say GUI settings, I likely would hide it so that all those who love to run registry cleaners did not zap the parameter lookup table storage area.

Without a PE reference, there is no harm and no foul.

Take the CLSID: {EB763CD6-EB61-CF33-466E-3849D06F1F61}
And use that value to search HKLM and HKCU to see if there are additional entries that lead to something intelligible.

What do you mean when you say PE? I'm not familiar with that term in this context.]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20381343 Thu, 24 Apr 2008 17:38:11 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20380751 http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20380751 Thu, 24 Apr 2008 16:00:42 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20379220
It looks to me to be a lookup table. For example, I might use the registry as a scratchpad to hold configuration settings.

It most assuredly is not a rootkit reference, and most assuredly is not an active threat. There is not there, there. The fact that it is hidden is the only interesting thing about it; but there is nothing particularly interesting about that either. If I was using the registry to record, say GUI settings, I likely would hide it so that all those who love to run registry cleaners did not zap the parameter lookup table storage area.

Without a PE reference, there is no harm and no foul.

Take the CLSID: {EB763CD6-EB61-CF33-466E-3849D06F1F61}
And use that value to search HKLM and HKCU to see if there are additional entries that lead to something intelligible.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20379220 Thu, 24 Apr 2008 11:28:15 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20377688 said by BlaZe X:

said by bcastner:

Open Regedit and navigate to:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}

What DLL or other program is referenced there?

The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything.

Look with regedit under the root key above and see if you can find a reference to something that is searchable.
There are no references to this when go to this key. Also trying to open InProcServer32 folder gives me an error - "cannot open InProcServer32: Error while opening key"

said by Trel:

Do you use Daemon tools?
I do use daemon tools and i know it uses a type of rootkit technology but can they be related to these key? I have used sophos anti-rootkit scanner before and it leads to this key.: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 which I know is related to daemon tools.
I'm not sure, I just know Daemon Tools shows up in some scanners.]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20377688 Thu, 24 Apr 2008 00:40:31 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20377610 said by bcastner:

Open Regedit and navigate to:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}

What DLL or other program is referenced there?

The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything.

Look with regedit under the root key above and see if you can find a reference to something that is searchable.
There are no references to this when go to this key. Also trying to open InProcServer32 folder gives me an error - "cannot open InProcServer32: Error while opening key"

said by Trel:

Do you use Daemon tools?
I do use daemon tools and i know it uses a type of rootkit technology but can they be related to these key? I have used sophos anti-rootkit scanner before and it leads to this key.: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 which I know is related to daemon tools.
Click for full size
]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20377610 Thu, 24 Apr 2008 00:16:33 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20376433 said by BlaZe X:

Avira finds two hidden registry objects. Can they be possible rootkits? i tried a google search i haven't found anything on them. I also posted in the avira forums, I didn't really get much input about what it can be. They mentioned a software called studio 9 uses hidden registry entries but I never installed this software. What else could it be?

Heres what it finds:

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\oaklgcffoomoodagbbadblbhlbffjc
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\naklmdmgnchnoppccdacnndjgjek
[INFO] The registry entry is invisible.
'315899' objects were checked, '2' hidden objects were found.
Do you use Daemon tools?]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20376433 Wed, 23 Apr 2008 20:08:30 EDT Re: Avira finds hidden registry entries http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20376068
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}

What DLL or other program is referenced there?

The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything.

Look with regedit under the root key above and see if you can find a reference to something that is searchable.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/Re-Avira-finds-hidden-registry-entries-20376068 Wed, 23 Apr 2008 18:46:53 EDT Avira finds hidden registry entries http://www.dslreports.com/forum/Avira-finds-hidden-registry-entries-20375906
Heres what it finds:

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\oaklgcffoomoodagbbadblbhlbffjc
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\naklmdmgnchnoppccdacnndjgjek
[INFO] The registry entry is invisible.
'315899' objects were checked, '2' hidden objects were found.]]> http://www.dslreports.com/forum/Avira-finds-hidden-registry-entries-20375906 Wed, 23 Apr 2008 18:18:21 EDT