Re: What are these registry entries?

From: YoKenny (YKnot_at_home.invalid)
Date: 08/08/03 

Date: Fri, 8 Aug 2003 02:35:43 -0400

LuckyStrike wrote:
> While looking through the startup files, I found these two entries in
> the registry that have me wondering what they could be. I used a
> program called Pest Patrol to view both the startup files and the
> running processes of the PC, to obtain this information that I've
> provided.
>
> HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)
>
> HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)
>
> Paths for the two are C:\windows\system\mshta.exe
>
> Both possess an MD5 "signature" of
> {95e7e4913891bd12ff9a58c60ea8d143}
>
> What the heck are they? Would any of these be an issue for concern?

You may want to read this:
HTA DOWNLOAD EXPLOIT
http://www.nsclean.com/psc-htas.html

"On July 28th 2003, a new means of exploit was discovered by the team at
spywareinfo.com which involved a program rapidly disseminating onto the
computers of innocent victims called "WINMAIN.EXE." The source of this file
is currently unknown, though it appears to be rampant, likely placed onto
machines as one of those "hijacker/adware" packages. Normally such programs
are at worst a privacy issue or an annoyance. However, this event portends
an entirely new method of attack against machines, given that the offending
executable activates a particularly dangerous piece of Internet Explorer and
exposes a serious new risk to all machines, since this executable runs
throughout an entire Windows session, and does not possess the ability to
distinguish the source of scripts which it will run. This particular
exploits drops a file called "C:\WINLOG.HTML" which is called, and can be
located, but future exploits will be able to generate other files with other
names in the future. This exploit is merely the opening salvo in what we
expect to be a whole new approach to trojans. "

Also read: (looking for winmain)
http://www.pacs-portal.co.uk/startup_pages/startup_all.php

Relevant Pages

  • Re: DST Updates Deployed via Group Policy
    ... In KB914387 Microsoft gives you the registry keys that need to be changed ... saw that my EST reg entries were the same as my 2003 server and 2000 ... WAS able to select the group in the GPO editor so I assumed that it could ... things are working, that is, the machines are being healthy little ...
    (microsoft.public.windows.group_policy)
  • Re: Norton Personal Firewall 2003
    ... Most applications do not get rid of all the registry ... entries when you do an uninstall from the control panel applet. ... NPF is trying to make their firewall less ... So i'm using nav on all machines, ...
    (comp.security.firewalls)
  • Re: What are these registry entries?
    ... Startup pages as well, but did not ... find any actual entries in the registry or anywhere else that indicated the ... >> program called Pest Patrol to view both the startup files and the ... > exposes a serious new risk to all machines, ...
    (microsoft.public.security)
  • Re: Weird BSOD with Bioshock and Crysis
    ... refuses to work - despite uninstalling, removing all entries from the ... registry etc. etc. presumably because I swapped DVD/R drives in trying to ... I have other virtual machines all stored on their own ...
    (comp.sys.ibm.pc.games.action)
  • Registry Problem
    ... I have created a .reg file to remove some entries from the registry of ... certain machines however when i merge the registries the entries i am trying ... registry before hand it shows me the location and the details of the ...
    (microsoft.public.win2000.registry)