Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Home normally hidden registry entries?


  • Please log in to reply
No replies to this topic

#1 AfpMike

AfpMike

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 16 October 2010 - 07:09 PM

Hi,

I'm doing a follow up check on my system after clearing a stubborn rootkit using unhackme. While I didn't end up learning what the infection was, the negative behaviors and scans with typical malware, HJT and rootkit tools are no longer showing any hooked processes and several adverse files were removed successfully.

The only question I have remaining is regarding McAfee's Rootkit Detective flushing up some 75 hidden registry values. I've tried googling to determine if it's normal to find hidden reg entries in a proper registry config, but was unable to confirm if this is normal or not.

The list it returns is below, but my only questions are if there should ever, "normally" be hidden registry values or not?
I assume the function to hide them wouldn't exist if it were not normal in some cases.

If so, how does one determine what entries would normally be hidden, or at least those of Microsoft origin? :thumbsup:


Thanks in advance.

Mike

McAfee Hidden registry list....


Scan complete. Hidden registry keys/values: 75
McAfeeŽ Rootkit Detective 1.1 scan report
On 10-10-2010 at 03:48:29
OS-Version 5.1.2600
Service Pack 3.0
====================================

Scan complete. No hidden processes/files found.
Total files scanned: 0
McAfeeŽ Rootkit Detective 1.1 scan report
On 10-10-2010 at 03:48:50
OS-Version 5.1.2600
Service Pack 3.0
====================================

Scan complete. No hidden processes/files found.
Total files scanned: 0
McAfeeŽ Rootkit Detective 1.1 scan report
On 10-10-2010 at 04:02:06
OS-Version 5.1.2600
Service Pack 3.0
====================================

Scan complete. No hidden processes/files found.
Total files scanned: 0
McAfeeŽ Rootkit Detective 1.1 scan report
On 10-10-2010 at 04:02:25
OS-Version 5.1.2600
Service Pack 3.0
====================================

Scan complete. No hidden processes/files found.
Total files scanned: 0
McAfeeŽ Rootkit Detective 1.1 scan report
On 10-10-2010 at 04:15:06
OS-Version 5.1.2600
Service Pack 3.0
====================================

Scan complete. No hidden processes/files found.
Total files scanned: 0
McAfeeŽ Rootkit Detective 1.1 scan report
On 10-10-2010 at 11:04:01
OS-Version 5.1.2600
Service Pack 3.0
====================================

Scan complete. No hidden processes/files found.
Total files scanned: 0
McAfeeŽ Rootkit Detective 1.1 scan report
On 16-10-2010 at 18:43:00
OS-Version 5.1.2600
Service Pack 3.0
====================================

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
Status: Hidden

Object-Type: Registry-value
Object-Name: *
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
Status: Hidden

Object-Type: Registry-value
Object-Name: infopath.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
Status: Hidden

Object-Type: Registry-value
Object-Name: msn6.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: SAPLOGON.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: SAPfewgsrv.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: *
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: SAPGUI.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: SAPGuiIT.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: SAPLgPad.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: Scale_for_R3.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HONOR_XUNSENT_IN_FILE
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Status: Hidden

Object-Type: Registry-value
Object-Name: waol.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART
Status: Hidden

Object-Type: Registry-value
Object-Name: cs.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART
Status: Hidden

Object-Type: Registry-value
Object-Name: wm.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
Status: Hidden

Object-Type: Registry-value
Object-Name: winmail.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
Status: Hidden

Object-Type: Registry-value
Object-Name: WMPlayer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
Status: Hidden

Object-Type: Registry-value
Object-Name: iexplore.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
Status: Hidden

Object-Type: Registry-value
Object-Name: explorer.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
Status: Hidden

Object-Type: Registry-value
Object-Name: msimn.exe
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
Status: Hidden

Object-Type: Registry-key
Object-Name: DataWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden

Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Scan complete. Hidden registry keys/values: 75


Edited by hamluis, 16 October 2010 - 07:28 PM.
Moved from XP to Am I Infected forum ~ Hamluis.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users