Hidden even from regedt32? As in you have a program
running intercepting
API calls?
Thane Sherrington wrote:
> Anyone use this? I have a machine that has hidden
registry keys
> according to SAR, but not BlackIce. The log is
below. The problem is
> that SAR says the items are "non-removable." Anyone
know how to edit
> hidden items in the registry? BartPE with some
utility perhaps?
>
>
> Sophos Anti-Rootkit Version 1.0 (c) 2006 Sophos Plc
> Started logging on 10/31/2006 at 16:10:04 PM
> Hidden: registry item
\HKEY_USERS\S-1-5-18\Software\ErrorGuard
> Hidden: registry item
\HKEY_USERS\S-1-5-18\Software\Fun Web Products
> Hidden: registry item
\HKEY_USERS\S-1-5-18\Software\Hotbar
> Hidden: registry item
> \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet
>
Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
> Hidden: registry item
> \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet
>
Explorer\Extensions\CmdMapping\{946B3E9E-E21A-49c8-9F63-900533FAFE14}
> Hidden: registry item
> \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet
>
Explorer\Extensions\CmdMapping\{946B3E9E-E21A-49c8-9F63-900533FAFE15}
> Hidden: registry item
> \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet
>
Explorer\Toolbar\ShellBrowser\{74CC49F7-EB32-4A08-B204-948962A6E3DB}
> Hidden: registry item
> \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet
>
Explorer\Toolbar\WebBrowser\{74CC49F7-EB32-4A08-B204-948962A6E3DB}
> Hidden: registry item
\HKEY_USERS\S-1-5-18\Software\MyWebSearch
> Stopped logging on 10/31/2006 at 16:16:00 PM
>
>
> T
>
>
>
____________________________________________________________________________________
Get your email and see which of your friends are online - Right on the New
Yahoo.com
(http://www.yahoo.com/preview)
