A registry Warning?

Hi All,

After installing a registry monitoring program, I received several notices about changes in the registry. One causes me some concern and I'm not sure how to respond. Here is the message:

"An important entry has been ADDED to the registry!

HKEY=HKEY_CLASSES_ROOT
PATH=vbsfile\shell\open\command
NAME=
DATA=

Allow this registry entry?
(Yes to allow, No to delete key) "

There are buttons to handle the reply. So far I have been replying No, but the same notice comes back after each Startup. Could clicking the Yes button open the registry to some nasties? Thank you.

 

Hello derfsch,

but the same notice comes back after each Startup. Could clicking the Yes button open the registry to some nasties?

Short answer, yes. What programs start on bootup?

So one way to get the answer:

Download HijackThis from here http://radiosplace.com/ latest version 1.98

Download it to it's own folder - unzip (double click on zipped folder) - click on the execute - click scan button - click save log and save to the folder you just created *DO NOT FIX ANYTHING* - copy resultant .txt file and paste into your next post.

Regards - Charles

 

Charles

The programs running at Startup are the eTrust Virus and Firewall programs and a constantly running YacsMon Clock program. To these I added the Register Monitor, RegProt program.

Logfile of HijackThis v1.98.2
Scan saved at 2:03:13 PM, on 10/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\ETRUST~1\VetTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exe
D:\Program Files\DKService.exe
D:\Program Files\eTrust EZ Firewall\ca.exe
D:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
E:\regprot.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\NotesPad\Notespad.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Derf\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VetTray] d:\PROGRA~1\ETRUST~1\VetTray.exe
O4 - Startup: regprot.exe.lnk = E:\regprot.exe
O4 - Global Startup: YacsMon.exe
O4 - Global Startup: EZ Firewall.lnk = D:\Program Files\eTrust EZ Firewall\ca.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\My Documents\Ebay\Ebay.htm
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thank you for your interest, I must admit that I understand very little in the above log.

 

Hi derfsch,

I don't see anything "bad ".

One way to narrow this down to the process that wants to add a reg entry:

First, make sure you're off-line.

Go into the startups: run > type msconfig > ok > startup tab.

Un-check all the startups except one - the AV I think and of course regprot. Then re-boot.

Is it the AV? Repeat this process with the rest of the programs, re-checking and re-booting.

Regards - Charles

 

Charles

Following your advice, I removed the Startup programs one by one until there were no programs open in the Startup Utility. The RegProt was the last to be removed and the warning message appeared until I removed RegProt. With no programs open in the Startup Utility, no message appeared. I then allowed the programs to open one by one with the RegProt last. That is when the message re-appeared.

The conclusion would seem to be that RegProt is causing the message. Now the question to be answered is do I answer Yes to allow the added Key to remain or remove it. Since I don't know too much about working in the registry, I still need further advice. Thank you.

 

Hi derfsch,

I then allowed the programs to open one by one with the RegProt last. That is when the message re-appeared.

You did it backwards.

Regprot should be running at all times, openning the other programs one by one to see which is causing the message, that can only be done if Regprot is running.

I have to emphasize here that this is not necessarily an indication of malware, lots of programs "need" to write to the Registry. It also could be the XP itself.

From what I remember about Regprot's messages, it would indicate what the program was. The message that you're showing doesn't do that, and that is the only reason this calls for investigation.

It may also be the case that it is Regprot itself that wants to write to the Registry, or if you do not find the program, perhaps it is a "bad" install.

If you don't get satisfaction on this, then delete the key. Before that, create a manual System Restore point. Or, back up the Registry manualy: Create a folder, named for example Reg backup, then: Start > run > type regedit > ok > click on file in the tool bar > export to the folder that you created. If for any reason you would need this backup, then double click on the backed up reg file and it will ask if you want to "restore" it. You can also just backup the root: HKEY=HKEY_CLASSES_ROOT


Regards - Charles

 

Hi Charles

"You did it backwards. "
OK I started over with only RegProt on and added the other programs one at a time. The warning message appeared at the the beginning, with only RegProt on, and appeared as each succeeding program was added.

I followed your caution advice and created a System Restore point and also backed up the HKEY_CLASSES_ROOT key. Finally I clicked Yes to allow the registry entry. After shutting down and restarting, the warning message did not appear. So far the computer hasn't hicupped yet. One final point, after doing a Find in the registry for the added string, nothing turned up. Again, Thank you for your help.

 

Hi derfsch,

Glad it turned out well and thanks very much for posting back.

Regards - Charles