Re: Bizarre registry entries??
From: Wesley Vogel (123WVogel955_at_comcast.net)
Date: 06/28/05
- Next message: Carey Frisch [MVP]: "Re: After PQRemove, logon means logout."
- Previous message: ej0c: "Re: After PQRemove, logon means logout."
- In reply to: flatout4ever: "Bizarre registry entries??"
- Next in thread: Wesley Vogel: "Re: Bizarre registry entries??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Jun 2005 13:51:29 -0600
a brief tutorial here...
How To Install Spybot Search and Destroy & a brief tutorial
http://tomcoyote.com/SPYBOT/index1.php
-----
.SBI = Spybot - Search & Destroy Add-on Info File
Files are in ...
C:\Program Files\Spybot - Search & Destroy\Includes
or
%programfiles%\Spybot - Search & Destroy\Includes
The filenames correspond with the tab names.
>From Spybot - Search & Destroy HELP...
Ignore products
[[This section lists all products defined internally and in the external
include files. If you want to exclude a complete product, or include it
again, select the file from this section and toggle the checkbox before the
product.]]
-----
*Registry key not found* is a good thing.
Scumware sometimes hides their startups in Windows NT UserInit
-----
*No values found* means nothing is starting from that particular registry
key.
-----
Explorer.exe is supposed to be in...
C:\WINDOWS
and
C:\WINDOWS\System32
nowhere else.
-----
Regedit.exe is supposed to be in...
C:\WINDOWS
and
C:\WINDOWS\System32
nowhere else.
-----
Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll -
{53707962-6F74-2D53-2644-206D7942484F}
SDHelper.dll is Spybot - Search & Destroy Bad download blocker.
[[Blocks URLs that could install spyware, malware etc.]]
Spybot - Search & Destroy | Tools | Resident |
>From Spybot - Search & Destroy HELP...
[[Resident is a permanently running application to protect your system.
Currently, it consists of a browser helper for Internet Explorer that will
block download of files known as malicious (spyware installers for example).
This page inside Spybot-S&D allows you to install/uninstall this helper as
well as view the report which pages it has blocked (that should only appear
if the first layer of protection, the main IE immunity, didn't stop the
culprit).
The second resident tool is the TeaTimer
You can find the resident tools in the tools section.]]
-----
I have no idea what those HKEY_CLASSES_ROOT entries are. I do not have
them.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:flatout4ever.1rcj5i@no-mx.forums.iamnotageek.com,
flatout4ever <flatout4ever.1rcj5i@no-mx.forums.iamnotageek.com> hunted and
pecked:
> Could someone please let me know if any/ all of these are normal?
>
>
> My aunt had a bunch of crapware (and maybe viruses) on her computer.
> She reinstalled windows xp and brought it to me to download all her
> updates etc (she still has dial up) So I did all the windows updates,
> downloaded all recommended spyware programs, and ran scans for all. No
> "threats" were found, but when I started digging deeper I noticed things
> I've never seen on other computers. I am not an expert, so forgive me
> if some of it "normal".
>
> Spybots startup tool lists 9 Keys for WinLogon all dll's. Under ignore
> products in spybot, the tabs for each (trojan, hijacker etc) all have
> the extension ".sbi"
>
> HiJackThis startup list has ALOT of "registry key not found" entries.
> Here is a copy of part of that list
>
> Checking Windows NT UserInit:
> [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
> UserInit = C:\WINDOWS\system32\userinit.exe,
> [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
> *Registry key not found*
> [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
> *Registry value not found*
> [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
> *Registry key not found*
> --------------------------------------------------
> Autorun entries from Registry:
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
> PRISMSVR.EXE = "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
> 2wSysTray = C:\Program Files\2Wire\2PortalMon.exe
> HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
> SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
> --------------------------------------------------
> Autorun entries from Registry:
> HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
> *No values found*
> --------------------------------------------------
> Autorun entries from Registry:
> HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
> *No values found*
> --------------------------------------------------
> Autorun entries from Registry:
> HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
> *Registry key not found*
>
> Also interesting:
>
> Checking for EXPLORER.EXE instances:
> C:\WINDOWS\Explorer.exe: PRESENT!
> C:\Explorer.exe: not present
> C:\WINDOWS\Explorer\Explorer.exe: not present
> C:\WINDOWS\System\Explorer.exe: not present
> C:\WINDOWS\System32\Explorer.exe: not present
> C:\WINDOWS\Command\Explorer.exe: not present
> C:\WINDOWS\Fonts\Explorer.exe: not present
> --------------------------------------------------
> Checking for superhidden extensions:
> lnk: HIDDEN! (arrow overlay: yes)
> pif: HIDDEN! (arrow overlay: yes)
> exe: not hidden
> com: not hidden
> bat: not hidden
> hta: not hidden
> scr: not hidden
> shs: HIDDEN!
> shb: HIDDEN!
> vbs: not hidden
> vbe: not hidden
> wsh: not hidden
> scf: HIDDEN! (arrow overlay: NO!)
> url: HIDDEN! (arrow overlay: yes)
> js: not hidden
> jse: not hidden
> --------------------------------------------------
> Verifying REGEDIT.EXE integrity:
> - Regedit.exe found in C:\WINDOWS
> - .reg open command is normal (regedit.exe %1)
> - Company name OK: 'Microsoft Corporation'
> - Original filename OK: 'REGEDIT.EXE'
> - File description: 'Registry Editor'
> Registry check passed
> --------------------------------------------------
> Enumerating Browser Helper Objects:
> (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll -
> {53707962-6F74-2D53-2644-206D7942484F}
> --------------------------------------------------
>
>
>
> So I ran regedit almost everything under type is "REG_SZ" and under
> HKEY_CLASSES_ROOT there are duplicate entries with small changes for
> almost everything example:
> HKEY_CLASSES_ROOT\CETIUI.Form
> HKEY_CLASSES_ROOT\CETIUI.Form.1
> HKEY_CLASSES_ROOT\CETIUI.Forms
> HKEY_CLASSES_ROOT\CETIUI.Forms.1
>
>
> I appreciate ANY help/suggestions.
>
> Thanks
>
>
> --
> flatout4ever
> ------------------------------------------------------------------------
> flatout4ever's Profile: http://www.iamnotageek.com/member.php?userid=13978
> View this thread: http://www.iamnotageek.com/showthread.php?t=1819086405
- Next message: Carey Frisch [MVP]: "Re: After PQRemove, logon means logout."
- Previous message: ej0c: "Re: After PQRemove, logon means logout."
- In reply to: flatout4ever: "Bizarre registry entries??"
- Next in thread: Wesley Vogel: "Re: Bizarre registry entries??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
