CCE scan found this hidden registry key in:
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ów*]
C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT
I know PUBLACE.HTT is legit, but that folder name is strange. I found this on two of my machines.
First of all, is this safe to delete, and second of all, is there any way to determine where this came from?
Thanks.
[attachment deleted by admin]
The registry key is definitely a bit odd. I’m guessing by the PUBPLACE.HTT, that this is a XP machine? Usually that key looks like:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\
With SIDs foillowing
Most commonly S-1-5-18 which is LocalSystem. This is followed by \Components{GUIDs} For example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29A1D8D4B1639A14D9A0AC98939ECEB6
Value Name - 54DFA9E0AB3C1D145BB494A522BC4390
Value Data - 02:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMODO Internet Security
For what it’s worth the aforementioned key is used by MSI installers so it’s possible what you’re seeing is corruption from a failed/aborted install, hence the key corruption. However, the fact that it’s ponting to shared web folders is strange. I can’t see there’d be any problems deleting the key, just make a backup first.
this is a XP machine?
Indeed. Both machines are running XP Pro SP 3, with the other machine having had a clean OS installation just yesterday, which makes it even more strange that it also had this same key.
For what it's worth the aforementioned key is used by MSI installers so it's possible what you're seeing is corruption from a failed/aborted install, hence the key corruption.
The only programs installed on it were CIS v6 and a USB mobile modem driver. I’m clueless where it could have come from, if not from one of those two.
Hopefully it wasn’t a sign of an infection. I deleted them as you suggested.
Thanks for the input!