spykeylogger discovered by CA-Pest Patrol

  • Thread starter Thread starter RR Newsgroups
  • Start date Start date
R

RR Newsgroups

On a fresh installation of XP that was upgraded via Windows Update to XP2
and on which was installed CA-eTrust EZArmour suite before ever connecting
to the Internet...after running CA-Pest Patrol, the scan results showed the
following "SpyKeylogger" with a
Key:hkey_current_user\software\microsoft\windows\shellnoroam\bags\6\shell

Regedit displayed this...


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\6\Shell]
"FolderType"="Documents"
"MinPos1024x768(1).x"=dword:ffffffff
"MinPos1024x768(1).y"=dword:ffffffff
"MaxPos1024x768(1).x"=dword:ffffffff
"MaxPos1024x768(1).y"=dword:ffffffff
"WinPos1024x768(1).left"=dword:00000058
"WinPos1024x768(1).top"=dword:00000074
"WinPos1024x768(1).right"=dword:00000378
"WinPos1024x768(1).bottom"=dword:000002cc
"Rev"=dword:00000000
"WFlags"=dword:00000000
"ShowCmd"=dword:00000001
"FFlags"=dword:00000001
"HotKey"=dword:00000000
"Buttons"=dword:ffffffff
"Links"=dword:00000000
"Address"=dword:ffffffff
"Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"


What is this? Is it a false warning from Pest Patrol? Should I be
concerened? Should I delete it, quarantine it, ignore it?
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\6\Shell
is the customization settings for a folder.

If Remember each folder's view settings is selected in Folder Options, then
you get a boatload of numbered registry keys under

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags

"This key has a number of numbered sub-keys, each corresponding to saved
settings for a folder. The bad news is that the numbering is based on the
order in which you opened the folders since you installed XP; there is no
correspondence between name & number."

If you are in doubt, delete the
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\6
key. At the very worst, the folder customizations for one folder will be
lost.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
From: "RR Newsgroups" <No Address>

| On a fresh installation of XP that was upgraded via Windows Update to XP2
| and on which was installed CA-eTrust EZArmour suite before ever connecting
| to the Internet...after running CA-Pest Patrol, the scan results showed the
| following "SpyKeylogger" with a
| Key:hkey_current_user\software\microsoft\windows\shellnoroam\bags\6\shell
|
| Regedit displayed this...
|
| Windows Registry Editor Version 5.00
|
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\6\Shell]
| "FolderType"="Documents"
| "MinPos1024x768(1).x"=dword:ffffffff
| "MinPos1024x768(1).y"=dword:ffffffff
| "MaxPos1024x768(1).x"=dword:ffffffff
| "MaxPos1024x768(1).y"=dword:ffffffff
| "WinPos1024x768(1).left"=dword:00000058
| "WinPos1024x768(1).top"=dword:00000074
| "WinPos1024x768(1).right"=dword:00000378
| "WinPos1024x768(1).bottom"=dword:000002cc
| "Rev"=dword:00000000
| "WFlags"=dword:00000000
| "ShowCmd"=dword:00000001
| "FFlags"=dword:00000001
| "HotKey"=dword:00000000
| "Buttons"=dword:ffffffff
| "Links"=dword:00000000
| "Address"=dword:ffffffff
| "Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
|
| What is this? Is it a false warning from Pest Patrol? Should I be
| concerened? Should I delete it, quarantine it, ignore it?
|

If a file or files were not found to be infected with a Keylogging Trojan then it is most
likely a False Positive and should be reported to Computer Associates.
 
Back
Top