K
KnowWhen2HoldemKnowWhen2Foldem
A couple of days ago I had the misfortune to click on a web site which had
"Download.Trojan" embedded in a picutre file called "IE0601e(1)wmf". The
website for this picture was a untraceable website in Russia which was
traceced through a supposed legitimate server in Amsterdam. Norton AV
immediately notified me of this attempt to install the trojan, however, I do
not knonw whether the quarantine contained the trojan as I could not examine
the file nor confirm its deletion. I had to deinstall Norton which told me
it deleted the quarantined file. I then reinstalled and ran a scan with the
latest signature and no trojan was found. However, I was examining my
startup files and ran across the following startup item;
a blank "startup item"
a blank "command"
the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I then went to the Run key and found a number of startup items that were
correct but one startup that seemed to correspond with this blank startup
item in the (default) key:
(Default) REG_SZ
There is no (value not set) under the data type.
Examining the binary for data shows:
0000 00 00 ..
Attempts to reset the value to "(value not set)" failed.
There was the same problem for the heirarchial registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\
The only key in this sequence that has the correct name, type and data is
the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
This shows:
(Default) REG_SZ (value not set)
The Binary for data shows:
0000
Is this an acceptable variant for WinXP registry or does it indicate some
sort of registry problem possibly secondary to the trojan or other virus?
"Download.Trojan" embedded in a picutre file called "IE0601e(1)wmf". The
website for this picture was a untraceable website in Russia which was
traceced through a supposed legitimate server in Amsterdam. Norton AV
immediately notified me of this attempt to install the trojan, however, I do
not knonw whether the quarantine contained the trojan as I could not examine
the file nor confirm its deletion. I had to deinstall Norton which told me
it deleted the quarantined file. I then reinstalled and ran a scan with the
latest signature and no trojan was found. However, I was examining my
startup files and ran across the following startup item;
a blank "startup item"
a blank "command"
the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I then went to the Run key and found a number of startup items that were
correct but one startup that seemed to correspond with this blank startup
item in the (default) key:
(Default) REG_SZ
There is no (value not set) under the data type.
Examining the binary for data shows:
0000 00 00 ..
Attempts to reset the value to "(value not set)" failed.
There was the same problem for the heirarchial registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\
The only key in this sequence that has the correct name, type and data is
the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
This shows:
(Default) REG_SZ (value not set)
The Binary for data shows:
0000
Is this an acceptable variant for WinXP registry or does it indicate some
sort of registry problem possibly secondary to the trojan or other virus?