Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: 9 hidden regestry keys found

  1. #1
    Junior Member
    Join Date
    Aug 2007
    Posts
    27

    Default 9 hidden regestry keys found

    Here are the 9 hidden regestry keys that RootAnalyzer found.

    // info: Rootkit removal help file
    // copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\????????\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?SID\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?
    SID\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?
    SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""

    How do I remove them?

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,574

    Default

    What does the "details" column in the results list say about these entries?

    They all look like the registry "corruption" problem though, since I haven't found any way even rootkits could create entries with a length of 0 for the name yet. Will give it a try next week, until then, I would recommend to do nothing about them, since they're most likely "just" a slightly corrupted registry thing.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  3. #3
    Junior Member
    Join Date
    Aug 2007
    Posts
    27

    Default 9 hidden regietry keys

    Thank you for your response. They say that "could not open key" A few days ago I went to logon to my hotmail account and I received a message that the live mail page had been updated and I needed to re-enter my info. This raised suspision so I ran root analyzer and the above items came up. Again, thank you for your response.

    billybob0626

  4. #4
    Junior Member
    Join Date
    Apr 2008
    Posts
    6

    Default

    hi everyone, i got something similar.

    in the script for the Spybot include screen where you can actually copy the text, this is what i got:
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\???FreeAgent Drive_270747319\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\???FreeAgent Drive_2363351417\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\?????????????????\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\?*???????????*?*????\",""


    But in the actual deep scan window i get a bunch of what seem to be chinese symbols...
    here's a link to a screenshot of that screen, i am sorry if this is not allowed, i just don't know how else to show you: http://i28.tinypic.com/2jbpdhe.jpg

  5. #5
    Junior Member
    Join Date
    Apr 2008
    Posts
    6

    Default

    nevermind that, i downloaded the update and ran a deepscan again and now i got a bunch of system folders and registry files marked as "No admin in ACL"
    and a lot of "Unknown ADS" entries for files i created and that i know are safe... no idea if these results are right or why they are being flagged like this...

    examples of the no admin in ACL files:
    File:"No admin in ACL","D:\Windows\System32\drivers\disk.sys"
    File:"No admin in ACL","D:\Windows\System32\drivers\hidclass.sys"
    File:"No admin in ACL","D:\Windows\System32\drivers\hidparse.sys"
    File:"No admin in ACL","D:\Windows\System32\drivers\hidusb.sys"
    File:"No admin in ACL","D:\Windows\System32\drivers\mouclass.sys"
    File:"No admin in ACL","D:\Windows\System32\drivers\mouhid.sys"
    File:"No admin in ACL","D:\Windows\System32\drivers\USBSTOR.SYS"
    File:"No admin in ACL","D:\Windows\System32\drivers\volsnap.sys"
    File:"No admin in ACL","D:\Windows\inf\drvindex.dat"
    File:"No admin in ACL","D:\Windows\inf\INFCACHE.1"
    File:"No admin in ACL","D:\Windows\inf\infpub.dat"
    File:"No admin in ACL","D:\Windows\inf\infstor.dat"
    File:"No admin in ACL","D:\Windows\inf\infstrng.dat"
    File:"No admin in ACL","C:\Windows\bthservsdp.dat"
    File:"No admin in ACL","C:\Windows\System32\fsquirt.exe"
    File:"No admin in ACL","C:\Windows\System32\hal.dll"
    File:"No admin in ACL","C:\Windows\System32\halacpi.dll"
    File:"No admin in ACL","C:\Windows\System32\halmacpi.dll"
    File:"No admin in ACL","C:\Windows\System32\hccoin.dll"
    File:"No admin in ACL","C:\Windows\System32\hcrstco.dll"
    File:"No admin in ACL","C:\Windows\System32\iscsilog.dll"
    File:"No admin in ACL","C:\Windows\System32\SysFxUI.dll"
    File:"No admin in ACL","C:\Windows\System32\WMALFXGFXDSP.dll"
    File:"No admin in ACL","C:\Windows\System32\drivers\acpi.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\atapi.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\ataport.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\bthenum.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\bthmodem.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\bthport.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\BTHUSB.SYS"
    File:"No admin in ACL","C:\Windows\System32\drivers\cdrom.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\disk.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\drmk.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\drmkaud.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\fdc.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\hdaudbus.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\hidbth.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\hidclass.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\hidparse.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\hidusb.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\i8042prt.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\kbdclass.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\kbdhid.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\mouclass.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\mouhid.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\msisadrv.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\msiscsi.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\mssmbios.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\pci.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\pciide.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\pciidex.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\portcls.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\rdpdr.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\rfcomm.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\sermouse.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\termdd.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\umbus.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\USBAUDIO.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbccgp.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbd.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbehci.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbhub.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbport.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbprint.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\USBSTOR.SYS"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbuhci.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\usbvideo.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\vgapnp.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\volmgr.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\volsnap.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\xnacc.sys"
    File:"No admin in ACL","C:\Windows\System32\drivers\UMDF\WpdFs.dll"
    File:"No admin in ACL","C:\Windows\inf\drvindex.dat"
    File:"No admin in ACL","C:\Windows\inf\INFCACHE.1"
    File:"No admin in ACL","C:\Windows\inf\infpub.dat"
    File:"No admin in ACL","C:\Windows\inf\infstor.dat"
    File:"No admin in ACL","C:\Windows\inf\infstrng.dat"
    Last edited by jislo; 2008-04-28 at 07:20.

  6. #6
    Junior Member
    Join Date
    Apr 2008
    Posts
    6

    Default

    the quick scan showed nothing, but i ran a deep scan and it came up with that.... i am not sure if that is right?

  7. #7
    Junior Member
    Join Date
    Apr 2008
    Posts
    6

    Default

    and these other folders/registry keys:

    Directory:"No admin in ACL","D:\System Volume Information"
    Directory:"No admin in ACL","C:\System Volume Information"
    Directory:"No admin in ACL","C:\Windows\System32\LogFiles\WMI\RtBackup"
    Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
    Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","DcomLaunch"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet021\Services\","DcomLaunch"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet021\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet020\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet019\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet018\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet017\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet016\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet015\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet014\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet013\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet012\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet011\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet010\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet009\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet008\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet007\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet006\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet004\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet003\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","DcomLaunch"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","RpcSs"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\","HotStart"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\","Svc"



    is it becasue only the system is allowed to write in these or do i have a problem in my hands?

  8. #8
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,574

    Default

    Is that Vista? Should've tested more on it then

    Yes, sounds a lot like that is "system account only" probably.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  9. #9
    Junior Member
    Join Date
    Apr 2008
    Posts
    6

    Default

    oh man, thanks for replying. it almost gave me a heart attack :(

  10. #10
    Junior Member
    Join Date
    Apr 2008
    Posts
    6

    Default

    and yeah, it is vista.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •