The registry key with NtmsSvc is related to Removable Storage Service
.Not all hidden components detected
by anti-rootkit (ARK) scanners and security tools are malicious
. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators
sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.
API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found
. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
This is what Avira says about hidden objects.
Avira Support Forum: Scan Results Question - Warnings - Detections - Hidden Objects
A hidden object refers to a registry entry or file or folder that is invisible to the operating system. This includes rootkits which are used to hide malware. These are dangerous. But keep in mind that not all hidden objects are dangerous as there are legal programs which hide their own files and registry entries.