Win2000 Registry - Does anyone recognize this???

system · 2007-06-20T23:15:04.000Z

essexboy post:2:

What it is is a rot13 encryption…

Yes, thank you. That is what I found after researching the key - apparently the same question has been asked on a number of forums. Do you know if it is in anyway related to the ‘Windows File Protection’ service? I have not found that information.

UPDATE: Just found that it may be related to Explorer’s Launchpad file folder:

http://seclists.org/pen-test/2000/Nov/

Tech post:3:

cluelessuser post:1:

I’ve had this key popping up in my registry now for some time.
It keeps popping back up, so something is ‘creating’ it as it goes.

Can you post a screenshot? See http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

It’s strange that a registry key is there.

Apologies - I used imprecise wording. It is not literally ‘popping up’ as in a pop-up window or in the Avast scanner message - I simply meant it keeps re-appearing in my registry. Not sure a screenshot would show anything better than the text of the actual reg key export file.

Tech post:3:

Can you post a HijackThis Log? It can be downloaded here: http://www.bleepingcomputer.com/files/hijackthis.php

I downloaded it… It may take me several years to move through the instructions on how to use it! :o

Thank you for pointing to this. I will read it and try to use it to create a log file. Not sure, but think I’ve been ‘hijacked’ quite a bit recently. It does say one needs an ‘expert’ to interpret it, so - fair warning again - I may be back! :

Thanks & best regards to you both!

Lisandro · 2007-06-21T01:06:51.000Z

cluelessuser post:4:

Apologies - I used imprecise wording. It is not literally ‘popping up’ as in a pop-up window or in the Avast scanner message - I simply meant it keeps re-appearing in my registry. Not sure a screenshot would show anything better than the text of the actual reg key export file.

How are you monitoring the registry, I mean, how did you find that, each time, this registry key is rewritten?

Tech post:3:

It does say one needs an ‘expert’ to interpret it

But indeed interpret the log is not an easy task… Take care. Better post the log here.

system · 2007-06-21T14:51:29.000Z

Tech post:5:

How are you monitoring the registry, I mean, how did you find that, each time, this registry key is rewritten?

I found it initially by accident searching the registry for another key. Then, I kept an eye on it.

Tech post:3:

But indeed interpret the log is not an easy task… Take care. Better post the log here.

Here is log and start-up list. But it is not complete. There is one service not there that I am wondering about: HID.DLL. I do not recall seeing it before, but it is now running on start-up. This morning, I set the service to ‘manual start’ and will see what happens. But it was running when I did the initial Hijack this scan.

Another new event. Kerio FW will now not recognize nor open ports for Netscape or Thunderbird. TCPView sees them, however. Outcome: cannot connect to URLs with SPF Kerio FW ruinning…

Logfile of HijackThis v1.99.1 Scan saved at 9:50:35 AM, on 6/21/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
D:\ALWILS~1\Avast4\ashDisp.exe
D:\Aps\Remind!\remind.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
D:\Aps\FaxTalk\NOH\FTNohMGR.exe
D:\Aps\MS Office\Office\MSOFFICE.EXE
D:\Aps\Firefox\Mozilla Firefox\firefox.exe
C:\Program Files\Netscape Internet Service\NSClient.exe
C:\Program Files\Common Files\ISPCOMP\SystemTrayIcon.exe
C:\Program Files\Netscape Internet Service_NSWatchman.exe
D:\Utils\MS TCP View\Tcpview.exe
C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe
D:\Aps\Thunderbird\thunderbird.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Devices\nohijackthist\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [avast!] d:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Remind!] D:\Aps\Remind!\remind.exe
O4 - HKLM..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM..\Run: [NetOnHold] .\FTNOHMgr.EXE /autoload
O4 - Global Startup: FaxTalk MOH.lnk = D:\Aps\FaxTalk\NOH\FTNohMGR.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = D:\Aps\MS Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709
O17 - HKLM\System\CCS\Services\Tcpip..{75A803A6-D1C5-442C-A88B-F265B9CD0635}: NameServer = 205.188.146.145
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

system · 2007-06-21T14:53:28.000Z

StartupList report, 6/20/2007, 11:12:04 PM
StartupList version: 1.52.2
Started from : C:\Devices\nohijackthist\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Using default options
Including empty and uninteresting sections
Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
d:\Alwil Software\Avast4\aswUpdSv.exe
d:\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
D:\utils\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
d:\Alwil Software\Avast4\ashWebSv.exe
d:\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
D:\ALWILS~1\Avast4\ashDisp.exe
D:\Aps\Remind!\remind.exe
D:\Aps\FaxTalk\NOH\FTNohMGR.exe
D:\Aps\MS Office\Office\MSOFFICE.EXE
C:\WINNT\system32\stisvc.exe
C:\Devices\nohijackthist\HijackThis.exe

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
Shortcut to remind_backup.bat.lnk = D:\Aps\Remind!\backup\remind_backup.bat

Shell folders AltStartup:
Folder not found

User shell folders Startup:
Folder not found

User shell folders AltStartup:
Folder not found

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
FaxTalk MOH.lnk = D:\Aps\FaxTalk\NOH\FTNohMGR.exe
Microsoft Office Shortcut Bar.lnk = D:\Aps\MS Office\Office\MSOFFICE.EXE

Shell folders Common AltStartup:
Folder not found

User shell folders Common Startup:
Folder not found

User shell folders Alternate Common Startup:
Folder not found

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
Registry key not found

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Registry value not found

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
Registry key not found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
avast! = d:\ALWILS~1\Avast4\ashDisp.exe
Remind! = D:\Aps\Remind!\remind.exe
Netscape = C:\Program Files\Common Files\ISPCOMP\InstallService.exe
NetOnHold = .\FTNOHMgr.EXE /autoload
NetscapeClient =

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

No values found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

No values found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Registry key not found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Registry key not found

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Registry key not found

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

No values found

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Registry key not found

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

Registry key not found

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Registry key not found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

Registry key not found

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

Registry key not found

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
No subkeys found

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
No subkeys found

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
No subkeys found

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Registry key not found

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Registry key not found

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry key not found

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
No subkeys found

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Registry key not found

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Registry key not found

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Registry key not found

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Registry key not found

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Registry key not found

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = “%1” %*

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = “%1” %*

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = “%1” %*

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = “%1” %*

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = “%1” /S

system · 2007-06-21T14:55:02.000Z

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\system32\mshta.exe “%1” %*

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\System32\setup\wmpocm.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = “C:\WINNT\system32\shmgrate.exe” OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = “C:\WINNT\system32\shmgrate.exe” OCInstallUserConfigOE

[>{A9E8FC4B-FDB2-4F07-8FA5-973302667A77}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:“S 2 true 3 true 4 true 5 true 6 true 7 true” initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

Registry key not found

Load/Run keys from C:\WINNT\WIN.INI:

load=INI section not found
run=INI section not found

Load/Run keys from Registry:

HKLM..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found
HKLM..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found
HKLM..\Windows\CurrentVersion\WinLogon: load=Registry key not found
HKLM..\Windows\CurrentVersion\WinLogon: run=Registry key not found
HKCU..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found
HKCU..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found
HKCU..\Windows\CurrentVersion\WinLogon: load=Registry key not found
HKCU..\Windows\CurrentVersion\WinLogon: run=Registry key not found
HKCU..\Windows NT\CurrentVersion\Windows: load=
HKCU..\Windows NT\CurrentVersion\Windows: run=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: load=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: run=Registry value not found
HKLM..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=INI section not found
SCRNSAVE.EXE=INI section not found
drivers=INI section not found

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=Registry value not found

Policies Shell key:

HKCU..\Policies: Shell=Registry key not found
HKLM..\Policies: Shell=Registry value not found

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

Verifying REGEDIT.EXE integrity:

Regedit.exe found in C:\WINNT
.reg open command is normal (regedit.exe %1)
Company name OK: ‘Microsoft Corporation’
Original filename OK: ‘REGEDIT.EXE’
File description: ‘Registry Editor’

Registry check passed

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

Enumerating Task Scheduler jobs:

No jobs found

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181312103709

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Sun Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll

system · 2007-06-21T14:57:47.000Z