Possible rootkit


R

Robert Brereton

Hi All
I have just run Sophos anti root kit scanner and it has popped up with this
as a hidden registry item:

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409
Removable: No
Notes: (no more detail available)

Does anyone know what it is? I suspect it is the US version of the
keyboard, which is not used here (in UK) but am concerned it may actually be
something nasty.

Thanks in advance

Bob
 
Ad

Advertisements

R

R. C. White

Hi, Robert.

I don't know what else may be hidden in your Registry, but THAT key should
be benign. ;<)

I have the same entry exactly. My only question might be the values in the
final key. Here in the USA, I also have the key
HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409

That "0409" at the end of the value is hex code for 1033, which is the
location code for the USA. In the UK, you might need a different code,
perhaps 0x0809. You might want to take a look around here:
United Kingdom Keyboard
http://msdn.microsoft.com/en-us/library/ee485827.aspx

FYI: Here is the full text of my entries in that Registry key, exported as
a .txt file:
<paste>
Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409]

[HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}]
"Default"="{00000000-0000-0000-0000-000000000000}"
"Profile"="{00000000-0000-0000-0000-000000000000}"
"KeyboardLayout"=dword:04090409
</paste>

I know nothing about Sophos or rootkits, but you may be getting a false
positive here.

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP
Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top