In the registry, is "Protocol_Catalog9" malware?

[David Peters]

In my registry I have a key which is accessed very frequently bny my
firewall (by Filseclab).

HKLM\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries


Many of the Google hits on "Protocol_Catalog9" refer to malware.

However, is this key normally found in an XP Pro/SP2 ?

Thank you.

 

[Wesley Vogel]

Yes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9
is a normal key.

It depends what's in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Ramesh, MS-MVP]

Exactly as Wesley said. In addition, you can get Autoruns utility from
Sysinternals.com and check the catalog entries, present under the "Winsock
providers" tab.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows XP Shell/User]
Windows® XP Troubleshooting http://www.winhelponline.com


Yes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9
is a normal key.

It depends what's in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Brian Cryer]

In my registry I have a key which is accessed very frequently bny my
firewall (by Filseclab).

HKLM\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries


Many of the Google hits on "Protocol_Catalog9" refer to malware.

However, is this key normally found in an XP Pro/SP2 ?

Thank you.

I don't know what the key is used for (although given its location in the
registry I would guess at something to do with the network), nor am I using
Filseclab firewall, however I can confirm that my XP Pro/SP2 machine has
this key. Another PC in the office I've just looked at also has this key, so
I think it reasonable to conclude that yes, you would normally expect to
find this key.

Hope this helps.

 

[Trex]

In my registry I have a key which is accessed very frequently bny my
firewall (by Filseclab).

HKLM\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries


Many of the Google hits on "Protocol_Catalog9" refer to malware.

However, is this key normally found in an XP Pro/SP2 ?

Thank you.

This is totally just going on a 'hunch' but I also investigated this as the SysInternals program autoruns64 had highlighted programs almost all the keys listed under this directory in the registry on my system. This isn't even really what caught my attention... it also reported that the VirusTotal website indicated 1 out of 60 antivirus programs identify them as malware. The fact of the matter is... I know the source for these entries... at least on my system. I may not have known immediately, but the program in question had an issue which I had to troubleshoot, and as I result, I gained a bit of knowledge regarding the inner workings of the Windows networking system.

At any rate, let me stop rambling on and just ask you... do you or anyone you know use any VPN software on the computer to which you're referring? Perhaps not currently but at some point in the past? I pay for VPN service (which some will argue is ultimately pretty senseless/pointless/worthless) and happen to know that to establish the virtual private network, there are several protocols installed when the VPN software itself is installed.

[EDIT]

Oh... and sorry... by the way, its not malware. Not in the case of using a VPN, anyway. This would also explain the access to your firewall.