BlaZe X
join:2001-08-07
Brooklyn, NY | reply to redwolfe_98
Re: Avira finds hidden registry entries
thanks for the link I have posted my log in castlecops. |
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
| reply to BlaZe X
blaze, here is a link to a forum at "castlecops" where "experts" can help you with analyzing the GMER scan-results:
»www.castlecops.com/f233-Rootkit_···ons.html
alternatively, you could post in DSLReports' "cleanup" forum and see if any of the experts, there, have any suggestions.. here is a link for the forum:
»Security Cleanup |
|
BlaZe X
join:2001-08-07
Brooklyn, NY
| reply to BlaZe X
Hi redwolfe, I ran a scan with gmer and this is what it found for the registry portion:
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32@oaklgcffoomoodagbbadblbhlbffjc 0x69 0x61 0x6C 0x65 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}\InProcServer32@naklmdmgnchnoppccdacnndjgjek 0x6A 0x61 0x69 0x65 ...
---- EOF - GMER 1.0.14 ----
So does this mean that avira is correctly flagging this entry and I should still ignore it? thanks |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
| reply to BlaZe X
if the regkey, supposedly, is "hidden", i don't see how you were able to find it in the registry, unless it is not really hidden.. if it is not really hidden, then why did antivir flag it..
i would do a scan with "GMER" and see if it flags anything..
i also think that you should discuss this issue in the avira forum, so that, if there is a problem with antivir's rootkit-scanner, it is brought to their attention.. |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:  | reply to Trel
PE = "Portable Executable"
»en.wikipedia.org/wiki/Portable_Executable
Sorry for the use of jargon. |
|
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
| reply to bcastner
said by bcastner  :Since there is no reference to a PE type of file, the entry is harmless. It looks to me to be a lookup table. For example, I might use the registry as a scratchpad to hold configuration settings. It most assuredly is not a rootkit reference, and most assuredly is not an active threat. There is not there, there. The fact that it is hidden is the only interesting thing about it; but there is nothing particularly interesting about that either. If I was using the registry to record, say GUI settings, I likely would hide it so that all those who love to run registry cleaners did not zap the parameter lookup table storage area. Without a PE reference, there is no harm and no foul. Take the CLSID: {EB763CD6-EB61-CF33-466E-3849D06F1F61} And use that value to search HKLM and HKCU to see if there are additional entries that lead to something intelligible. What do you mean when you say PE? I'm not familiar with that term in this context. |
|
BlaZe X
join:2001-08-07
Brooklyn, NY | reply to bcastner
I've searched for that value, there are no other entries that point to anything. I will take your word that its probably not a rootkit and i'm just being a little too paranoid about it. thanks for the help. |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
 ·Verizon Online DSL
1 edit | reply to BlaZe X
Since there is no reference to a PE type of file, the entry is harmless.
It looks to me to be a lookup table. For example, I might use the registry as a scratchpad to hold configuration settings.
It most assuredly is not a rootkit reference, and most assuredly is not an active threat. There is not there, there. The fact that it is hidden is the only interesting thing about it; but there is nothing particularly interesting about that either. If I was using the registry to record, say GUI settings, I likely would hide it so that all those who love to run registry cleaners did not zap the parameter lookup table storage area.
Without a PE reference, there is no harm and no foul.
Take the CLSID: {EB763CD6-EB61-CF33-466E-3849D06F1F61}
And use that value to search HKLM and HKCU to see if there are additional entries that lead to something intelligible.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
| reply to BlaZe X
said by BlaZe X :said by bcastner :Open Regedit and navigate to: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61} What DLL or other program is referenced there? The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything. Look with regedit under the root key above and see if you can find a reference to something that is searchable. There are no references to this when go to this key. Also trying to open InProcServer32 folder gives me an error - "cannot open InProcServer32: Error while opening key" said by Trel :Do you use Daemon tools? I do use daemon tools and i know it uses a type of rootkit technology but can they be related to these key? I have used sophos anti-rootkit scanner before and it leads to this key.: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 which I know is related to daemon tools. I'm not sure, I just know Daemon Tools shows up in some scanners. |
|
BlaZe X
join:2001-08-07
Brooklyn, NY
| reply to bcastner
said by bcastner :Open Regedit and navigate to: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61} What DLL or other program is referenced there? The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything. Look with regedit under the root key above and see if you can find a reference to something that is searchable. There are no references to this when go to this key. Also trying to open InProcServer32 folder gives me an error - "cannot open InProcServer32: Error while opening key"
said by Trel :Do you use Daemon tools? I do use daemon tools and i know it uses a type of rootkit technology but can they be related to these key? I have used sophos anti-rootkit scanner before and it leads to this key.: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 which I know is related to daemon tools. |
|
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
| reply to BlaZe X
said by BlaZe X :Avira finds two hidden registry objects. Can they be possible rootkits? i tried a google search i haven't found anything on them. I also posted in the avira forums, I didn't really get much input about what it can be. They mentioned a software called studio 9 uses hidden registry entries but I never installed this software. What else could it be? Heres what it finds: Starting search for hidden objects. HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F 1F61}\InProcServer32\oaklgcffoomoodagbbadblbhlbffjc [INFO] The registry entry is invisible. HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F 1F61}\InProcServer32\naklmdmgnchnoppccdacnndjgjek [INFO] The registry entry is invisible. '315899' objects were checked, '2' hidden objects were found. Do you use Daemon tools? |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to BlaZe X
Open Regedit and navigate to:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F1F61}
What DLL or other program is referenced there?
The key is this value: {EB763CD6-EB61-CF33-466E-3849D06F1F61} I do not have a Google hit on it, but that is not definitive of anything.
Look with regedit under the root key above and see if you can find a reference to something that is searchable.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
BlaZe X
join:2001-08-07
Brooklyn, NY
| Avira finds two hidden registry objects. Can they be possible rootkits? i tried a google search i haven't found anything on them. I also posted in the avira forums, I didn't really get much input about what it can be. They mentioned a software called studio 9 uses hidden registry entries but I never installed this software. What else could it be?
Heres what it finds:
Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\oaklgcffoomoodagbbadblbhlbffjc
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB763CD6-EB61-CF33-466E-3849D06F
1F61}\InProcServer32\naklmdmgnchnoppccdacnndjgjek
[INFO] The registry entry is invisible.
'315899' objects were checked, '2' hidden objects were found. |
|
