registry key automagically appeared

[george]

Hi all,

My 3-day old clean-install XP Pro-SP2 with (to my knowlegde) features the
following registry key:
HKCU\Software\ORL\VNCHooks and depending subkeys like Application_Prefs with
inderneath that a whole slew of definitions of applications on the machine.

Research, so far, has shown me this has to do with VNC (remote control
software) and more specifically vnchooks.dll, BUT....
I haven't got VNC installed and the often mentioned vnchooks.dll isn't
anywhere to be found on my machine either.
Machine is spy- and adware free.

Questions I now have are:
- Can anyone explain how this regentry has gotton into my machine?
- What is it for?
- Should it remain on the machine or can it safely be removed? (I get a
little paranoid when there is unknown stuff on my machine that looks like it
is capable to accept (?) connection establishments from the outside!)

Your help and insight is appreciated.

George

 

[Guest]

Yes, the registry keys you mention are part of VNC. The only way this
registry entry could have gotten there was if it was installed either by you,
or someone else.

The registry entry you speak of are for the settings of VNC. It is a remote
control application. You can safely remove it without any impact to Windows,
obviously VNC won't work though. Since you are running SP2 and if you have
Windows firewall on no one would be able to connect unless there has been an
exception made for it in your Windows firewall settings. Might be worth a
check to see.

 

[george]

Thanks Chris,

I kind'o figured this to be the case, the puzzling part for me was (and
still is!) how it got there, since I (re)built the box from scratch myself
and do not even have the VNC software available to install.
The only thing I have knowingly installed different from my other machine is
Symantec Ghost so as to get some stuff out of an earlier image using Ghost
Explorer. Could this be the instigator?
Otherwise the stuff on this machine is pretty 'standard' (for me anyway)
like AD-aware, Adobe, Canon camera stuff, Diskeeper, Spywareblaster, AVG, MS
..NET fwk, MBSA, Office, VPC, Nero, PowerDVD, Spywareblaster.
None of these have previously exhibited anything resulting in this key.
All Windows Update fixes current.

I'm behind a hw firewall/router setup running NAT, so I feel pretty safe and
according to ShieldsUp I'm completely stealthed.

I hate it when I can't explain the origin of stuff on my machines.

Any more thoughts?

george

 

[Guest]

Can't tell you how it got there, but if you look at the properties of the
files in question you may be able to tell when it was installed. I use Ghost
every day and I can assure you that Ghost didn't do it.

Additionally since you have all those spyware programs installed, which
frankly, I think are way too much, it may be possible it was installed, but
the anti-spyware programs removed most of the components except those keys.

You should try Microsoft's Antispyware Beta, it's very good, comprehensive,
and offers real time protection. I think you will find it can replace all of
those other applications.

Additionally you might be able to look in to System Restore and see if it
set a restore point for when VNC was installed. Good luck!