PDA

View Full Version : 'Hidden' registry entries



Chikara
11-09-2011, 06:31 PM
Hi all

Recently decided to do a scan using TrendMicro's Rootkit Buster on my netbook.

The scan results show the following Hidden Objects - but doesn't give any explanation if they are malicious or not.
Can anyone here please let me know if I should do anything about these entries??

Note, the machine is kept up to date and regularly scanned with MS Security Essentials, MB Anti-Malware, and I also have Comodo Firewall on it. It's running Win 7 Starter.

Thanks in advance!


+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 3.60.0.1016
| Computer Name: TONY-EEE
| User Name: Tony
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\002243d42c9b
SubKey : 002243d42c9b
FullLength: 0x59
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\002243de9548
SubKey : 002243de9548
FullLength: 0x59
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\1c4bd6051961
SubKey : 1c4bd6051961
FullLength: 0x59
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MpsSvc\Parameters\PortKeywords\DHCP
Root : 0
SubKey : DHCP
ValueName : Collection
Data :
ValueType : 3
AccessType: 0
FullLength: 0x58
DataSize : 0
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MpsSvc\Parameters\PortKeywords\RPC-EPMap
Root : 0
SubKey : RPC-EPMap
ValueName : Collection
Data : 87 0 1 0
ValueType : 3
AccessType: 0
FullLength: 0x5d
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MpsSvc\Parameters\PortKeywords\Teredo
Root : 0
SubKey : Teredo
ValueName : Collection
Data :
ValueType : 3
AccessType: 0
FullLength: 0x5a
DataSize : 0
6 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : ZwAdjustPrivilegesToken
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x820a4be5
CurrentHandler : 0x8b75dda4
ServiceNumber : 0xc
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAlpcConnectPort
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x820952a6
CurrentHandler : 0x8b75f34c
ServiceNumber : 0x16
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAlpcCreatePort
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x82014c82
CurrentHandler : 0x8b75df90
ServiceNumber : 0x17
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwConnectPort
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x82097db1
CurrentHandler : 0x8b75d0ce
ServiceNumber : 0x3b
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateFile
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x8206f28a
CurrentHandler : 0x8b75da0a
ServiceNumber : 0x42
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreatePort
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x820117d5
CurrentHandler : 0x8b75cfae
ServiceNumber : 0x4d
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSection
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x82042f75
CurrentHandler : 0x8b75d79e
ServiceNumber : 0x54
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSymbolicLinkObject
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x82021871
CurrentHandler : 0x8b75efde
ServiceNumber : 0x56
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateThread
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x820fbcce
CurrentHandler : 0x8b75c99a
ServiceNumber : 0x57
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateThreadEx
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x820901cc
CurrentHandler : 0x8b75e09e
ServiceNumber : 0x58
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwLoadDriver
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x81fe5b80
CurrentHandler : 0x8b75e9ee
ServiceNumber : 0x9b
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwMakeTemporaryObject
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x8202b8cd
CurrentHandler : 0x8b75d396
ServiceNumber : 0xa4
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenFile
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x82051ba2
CurrentHandler : 0x8b75dbe6
ServiceNumber : 0xb3
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenSection
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x8208971c
CurrentHandler : 0x8b75d63a
ServiceNumber : 0xc2
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwRequestWaitReplyPort
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x8205d96b
CurrentHandler : 0x8b75e48a
ServiceNumber : 0x12b
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSecureConnectPort
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x8207de62
CurrentHandler : 0x8b75e73e
ServiceNumber : 0x138
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetSystemInformation
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x8206e194
CurrentHandler : 0x8b75ece6
ServiceNumber : 0x15e
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwShutdownSystem
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x821226d3
CurrentHandler : 0x8b75d300
ServiceNumber : 0x168
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSystemDebugControl
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x820a5514
CurrentHandler : 0x8b75d526
ServiceNumber : 0x170
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwTerminateProcess
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x8207aa65
CurrentHandler : 0x8b75cdb0
ServiceNumber : 0x172
ModuleName : cmdguard.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwTerminateThread
Image Path : C:\windows\System32\DRIVERS\cmdguard.sys
OriginalHandler : 0x820983dc
CurrentHandler : 0x8b75cb9e
ServiceNumber : 0x173
ModuleName : cmdguard.sys
SDTType : 0x0


--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.

Speedy Gonzales
11-09-2011, 06:58 PM
Use tdsskiller. If it brings nothing up, then you dont have any rootkits. Bthport is probably bluetooth. And MpsSvc maybe the firewall. And cmdguard Comodo

Chikara
12-09-2011, 12:39 AM
I downloaded and scanned tdsskiller, all clear there. So I won't worry about those earlier results from Trend Micro's scan. Thanks a lot!

1101
12-09-2011, 09:54 AM
tdsskiller ONLY scans for 1 rootkit : tdss (I may be wrong here ??)

but dont panic :lol:
many legit programs use rootkits for legit reasons . Delete them & that software may stop working.
'dumb' rootkit scanners require alot of effort on your part to sift through the results, I gave up on
those more generic rootkit scanners long ago as the results were just too hard to interpret.
As you have just seen.

bevy121
12-09-2011, 01:15 PM
yea.... it's for the tdss "family"

The second one sounds promising :)


Rootkit.Win32.TDSS;
Rootkit.Win32.Stoned.d;
Rootkit.Boot.Cidox.a;
Rootkit.Boot.SST.a;
Rootkit.Boot.Pihar.a;
Rootkit.Boot.MyBios.b;
Rootkit.Win32.TDSS.mbr;
Rootkit.Win32.ZAccess.c,e,f;
Backdoor.Win32.Trup.a,b;
Backdoor.Win32.Sinowal.knf,kmy;
Backdoor.Win32.Phanta.a,b;
Trojan-Clicker.Win32.Wistler.a,b,c;
Virus.Win32.TDSS.a,b,c,d,e;
Virus.Win32.Rloader.a;
Virus.Win32.Cmoser.a

Agent_24
12-09-2011, 02:20 PM
many legit programs use rootkits for legit reasons . Delete them & that software may stop working.

There's no good reason for any legitimate program to use a rootkit.

1101
12-09-2011, 02:32 PM
There's no good reason for any legitimate program to use a rootkit.

from wiki so must be true :punk
"Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from malicious actions. "
"Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen"
"Alcohol 120% and Daemon Tools are commercial examples of non-hostile rootkits used to defeat copy-protection mechanisms such as SafeDisc and SecuROM"


some programs use rootkits as part of its DRM/anti-piracy, I think Norton may have of in the past ??
And of course that 100% legit Sony incident that helped start it all awhile back :-)

Agent_24
12-09-2011, 02:39 PM
Well I guess that makes sense... but then is it really a rootkit? I suppose so, but mostly when we talk about them we mean the bad ones don't we?

In any case, I've still got a very dim view on DRM/anti-piracy rubbish like Sony's old audio CD protection.


I don't want my computer filled up with hidden crap because I PAID FOR something. When people do that, it's just a good reason to pirate the thing so you don't get the bloated anti-piracy rubbish with it!

Snorkbox
12-09-2011, 02:51 PM
But there is a legit reason to have a rootkit on your PC then is there not?

Agent_24
12-09-2011, 03:07 PM
A Legit reason (in that it's not malware) maybe, but still not a good reason.

Chikara
12-09-2011, 03:37 PM
Interesting points and discussions!

Anyway, I'll assume the scan results I posted originally are all legit, unless someone says otherwise.
I'm a bit more paranoid on this machine than my home PC, as this is the machine I use when I travel for work, so I use hotel and free wifi quite a lot - which brings more risks.