Hello… I just wondered if anyone knew if the following registry keys are malicious or signs of infection:
- ICE-----DoNotInstall (HKEY_LOCAL_MACHINE\Software\Ice\DoNotInstall)
- ORL-----VNCHooks (HKEY_CURRENT_USER\Software\Orl\VNCHooks & HKEY_CURRENT_USER\Software\Orl\VNCHooks\Application_Prefs)
I have not been able to find the program that uses/installs ICE. I suspect it’s the printer also, but I’m not sure.The system is basically clean, as it’s a fresh install.
Before I saw these keys, I installed HP printer software, 2nd on the page (Full)… http://h10025.www1.hp.com/ewfrf/wc/softwareList?os=228&lc=en&cc=us&dlc=en&product=303753&lang=en
I think I might try the basic driver, instead, to see if those keys install… I scanned the file with AIS & also scanned all my reinstall programs and nothing was found.
ORL seems to be associated with the printer, based on info in the registry. I wonder about ORL & VNCHooks, due to http://www.threatexpert.com/report.aspx?md5=cec7438f470452595ff1535575019e1a . Near the bottom of the page, there is a note about registry modifications, which looks similar to what is in the registry. As far as I know, none of those files are on the computer.
Any ideas?
ORL
Key Name: HKEY_CURRENT_USER\Software\ORL
Class Name: <NO CLASS>
Last Write Time: 4/15/2010 - 12:58 PM
Key Name: HKEY_CURRENT_USER\Software\ORL\VNCHooks
Class Name: <NO CLASS>
Last Write Time: 4/15/2010 - 12:58 PM
Key Name: HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs
Class Name: <NO CLASS>
Last Write Time: 4/15/2010 - 12:59 PM
Key Name: HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\Hpqdirec.exe
Class Name: <NO CLASS>
Last Write Time: 4/15/2010 - 12:58 PM
Value 0
Name: use_GetUpdateRect
Type: REG_DWORD
Data: 0x0
Value 1
Name: use_Timer
Type: REG_DWORD
Data: 0x1
Value 2
Name: use_KeyPress
Type: REG_DWORD
Data: 0x1
Value 3
Name: use_LButtonUp
Type: REG_DWORD
Data: 0x1
Value 4
Name: use_MButtonUp
Type: REG_DWORD
Data: 0x0
Value 5
Name: use_RButtonUp
Type: REG_DWORD
Data: 0x0
Value 6
Name: use_Deferral
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe
Class Name: <NO CLASS>
Last Write Time: 4/15/2010 - 12:59 PM
Value 0
Name: use_GetUpdateRect
Type: REG_DWORD
Data: 0x0
Value 1
Name: use_Timer
Type: REG_DWORD
Data: 0x1
Value 2
Name: use_KeyPress
Type: REG_DWORD
Data: 0x1
Value 3
Name: use_LButtonUp
Type: REG_DWORD
Data: 0x1
Value 4
Name: use_MButtonUp
Type: REG_DWORD
Data: 0x0
Value 5
Name: use_RButtonUp
Type: REG_DWORD
Data: 0x0
Value 6
Name: use_Deferral
Type: REG_DWORD
Data: 0x1
ICE
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\ICE\DoNotInstall
Class Name: <NO CLASS>
Last Write Time: 4/15/2010 - 12:58 PM
Value 0
Name: {AC1314E7-D28C-40A1-B322-80D2868D35CE}
Type: REG_SZ
Data: 1
Value 1
Name: {F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}
Type: REG_SZ
Data: 1
Value 2
Name: {6CF9C6C0-54E5-4668-85C1-C10F63C40155}
Type: REG_SZ
Data: 1
Value 3
Name: {18E0918E-1060-48f3-925C-56C82E88551B}
Type: REG_SZ
Data: 1
Value 4
Name: {0FABD3D7-3036-4e78-B29D-58957ADB0A12}
Type: REG_SZ
Data: 1
Value 5
Name: {7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}
Type: REG_SZ
Data: 1