PDA

View Full Version : 9 hidden regestry keys found



billybob0626
2008-04-17, 07:43
Here are the 9 hidden regestry keys that RootAnalyzer found.

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\????????\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?
SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?
SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""

How do I remove them?

PepiMK
2008-04-17, 09:27
What does the "details" column in the results list say about these entries?

They all look like the registry "corruption" problem though, since I haven't found any way even rootkits could create entries with a length of 0 for the name yet. Will give it a try next week, until then, I would recommend to do nothing about them, since they're most likely "just" a slightly corrupted registry thing.

billybob0626
2008-04-17, 19:20
Thank you for your response. They say that "could not open key" A few days ago I went to logon to my hotmail account and I received a message that the live mail page had been updated and I needed to re-enter my info. This raised suspision so I ran root analyzer and the above items came up. Again, thank you for your response.

billybob0626

jislo
2008-04-26, 08:11
hi everyone, i got something similar.

in the script for the Spybot include screen where you can actually copy the text, this is what i got:
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\???FreeAgent Drive_270747319\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\???FreeAgent Drive_2363351417\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\?æ???????????æ?æ????\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\?*???????????*?*????\",""


But in the actual deep scan window i get a bunch of what seem to be chinese symbols...
here's a link to a screenshot of that screen, i am sorry if this is not allowed, i just don't know how else to show you: http://i28.tinypic.com/2jbpdhe.jpg

jislo
2008-04-28, 07:17
nevermind that, i downloaded the update and ran a deepscan again and now i got a bunch of system folders and registry files marked as "No admin in ACL"
and a lot of "Unknown ADS" entries for files i created and that i know are safe... no idea if these results are right or why they are being flagged like this...

examples of the no admin in ACL files:
File:"No admin in ACL","D:\Windows\System32\drivers\disk.sys"
File:"No admin in ACL","D:\Windows\System32\drivers\hidclass.sys"
File:"No admin in ACL","D:\Windows\System32\drivers\hidparse.sys"
File:"No admin in ACL","D:\Windows\System32\drivers\hidusb.sys"
File:"No admin in ACL","D:\Windows\System32\drivers\mouclass.sys"
File:"No admin in ACL","D:\Windows\System32\drivers\mouhid.sys"
File:"No admin in ACL","D:\Windows\System32\drivers\USBSTOR.SYS"
File:"No admin in ACL","D:\Windows\System32\drivers\volsnap.sys"
File:"No admin in ACL","D:\Windows\inf\drvindex.dat"
File:"No admin in ACL","D:\Windows\inf\INFCACHE.1"
File:"No admin in ACL","D:\Windows\inf\infpub.dat"
File:"No admin in ACL","D:\Windows\inf\infstor.dat"
File:"No admin in ACL","D:\Windows\inf\infstrng.dat"
File:"No admin in ACL","C:\Windows\bthservsdp.dat"
File:"No admin in ACL","C:\Windows\System32\fsquirt.exe"
File:"No admin in ACL","C:\Windows\System32\hal.dll"
File:"No admin in ACL","C:\Windows\System32\halacpi.dll"
File:"No admin in ACL","C:\Windows\System32\halmacpi.dll"
File:"No admin in ACL","C:\Windows\System32\hccoin.dll"
File:"No admin in ACL","C:\Windows\System32\hcrstco.dll"
File:"No admin in ACL","C:\Windows\System32\iscsilog.dll"
File:"No admin in ACL","C:\Windows\System32\SysFxUI.dll"
File:"No admin in ACL","C:\Windows\System32\WMALFXGFXDSP.dll"
File:"No admin in ACL","C:\Windows\System32\drivers\acpi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\atapi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\ataport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\bthenum.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\bthmodem.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\bthport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\BTHUSB.SYS"
File:"No admin in ACL","C:\Windows\System32\drivers\cdrom.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\disk.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\drmk.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\drmkaud.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\fdc.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hdaudbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidbth.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidparse.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidusb.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\i8042prt.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\kbdclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\kbdhid.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mouclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mouhid.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\msisadrv.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\msiscsi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mssmbios.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pciide.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pciidex.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\portcls.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\rdpdr.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\rfcomm.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\sermouse.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\termdd.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\umbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\USBAUDIO.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbccgp.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbd.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbehci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbhub.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbprint.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\USBSTOR.SYS"
File:"No admin in ACL","C:\Windows\System32\drivers\usbuhci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbvideo.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\vgapnp.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\volmgr.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\volsnap.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\xnacc.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\UMDF\WpdFs.dll"
File:"No admin in ACL","C:\Windows\inf\drvindex.dat"
File:"No admin in ACL","C:\Windows\inf\INFCACHE.1"
File:"No admin in ACL","C:\Windows\inf\infpub.dat"
File:"No admin in ACL","C:\Windows\inf\infstor.dat"
File:"No admin in ACL","C:\Windows\inf\infstrng.dat"

jislo
2008-04-28, 07:22
the quick scan showed nothing, but i ran a deep scan and it came up with that.... i am not sure if that is right?

jislo
2008-04-28, 07:46
and these other folders/registry keys:

Directory:"No admin in ACL","D:\System Volume Information"
Directory:"No admin in ACL","C:\System Volume Information"
Directory:"No admin in ACL","C:\Windows\System32\LogFiles\WMI\RtBackup"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet021\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet021\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet020\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet019\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet018\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet017\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet016\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet015\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet014\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet013\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet012\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet011\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet010\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet009\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet008\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet007\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet006\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet004\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\","HotStart"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\","Svc"



is it becasue only the system is allowed to write in these or do i have a problem in my hands?

PepiMK
2008-04-28, 10:05
Is that Vista? Should've tested more on it then ;)

Yes, sounds a lot like that is "system account only" probably.

jislo
2008-04-28, 10:17
oh man, thanks for replying. it almost gave me a heart attack :(

jislo
2008-04-28, 10:38
and yeah, it is vista.

PepiMK
2008-04-29, 10:19
Did write myself this task (http://forums.spybot.info/project.php?issueid=232) to make sure we'll whitelist Vistas system entries :)

einnob
2008-04-30, 04:22
What are the 4 digits that that show up in the white box when I do a quick scan?

Example : 9096

PepiMK
2008-04-30, 16:03
Do you have Windows 2000? And refer to the lower white box on the Quick Scan tab?

The only thing mentioned with numbers there would probably be hidden processes. You can open Windows Task Manager, make sure the column PID is shown, and look for task 9096 (or whatever the current number is).

As a sidenote, that RootAlyzer tells you to not close or open other applications while it does the quick scan is important here; the method to detect rootkits is by comparing the contents of various system lists, and if one of these system lists shows a PID (process ID, a unique number assigned to an instance of an application in memory) that is NOT visible in the main process list, it's usually hidden by something there. Since reading these complete system lists takes a few seconds, they would get out of sync if applications have been opened or closed in between. Since you didn't see any name after the number, it could mean a program that has been closed during the scan.

If it happens more than once when starting RootAlyzer, chances are not that big that again an application has closed itself exactly in this moment.

einnob
2008-04-30, 19:16
I have windows xp home edition

When I open windows task manager how do I get the PID column to show?

When the four digit numbers appear the green circle is red at....Invisible processes(from handles). And no other applications are being open or closed. Could it still be an application that the system is running that closes while Rootalyzer is running? It is the red that concerns me.


thanks you so much for the help


Great products! Your dedication to internet safety is appreciated.






One more thing....I downloaded the update....the older version u could click on the four digit number and terminate it. But it does not work on this version...And the newer version has an update button....when I click on it nothing happens.

einnob
2008-04-30, 19:24
Found the PID column


under view...select columns



:)