Possible rootkit

[Robert Brereton]

Hi All
I have just run Sophos anti root kit scanner and it has popped up with this
as a hidden registry item:

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409
Removable: No
Notes: (no more detail available)

Does anyone know what it is? I suspect it is the US version of the
keyboard, which is not used here (in UK) but am concerned it may actually be
something nasty.

Thanks in advance

Bob

 

[R. C. White]

Hi, Robert.

I don't know what else may be hidden in your Registry, but THAT key should
be benign. ;<)

I have the same entry exactly. My only question might be the values in the
final key. Here in the USA, I also have the key
HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409

That "0409" at the end of the value is hex code for 1033, which is the
location code for the USA. In the UK, you might need a different code,
perhaps 0x0809. You might want to take a look around here:
United Kingdom Keyboard
http://msdn.microsoft.com/en-us/library/ee485827.aspx

FYI: Here is the full text of my entries in that Registry key, exported as
a .txt file:
<paste>
Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409]

[HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}]
"Default"="{00000000-0000-0000-0000-000000000000}"
"Profile"="{00000000-0000-0000-0000-000000000000}"
"KeyboardLayout"=dword:04090409
</paste>

I know nothing about Sophos or rootkits, but you may be getting a false
positive here.

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP
Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64

 

[Robert Brereton]

Thanks for that it's put my mind at rest.

Bob