1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

What's this? HKEY_CURRENT_USER\Software\¬Â™‹ˆžÂš£²Â‹Â“ž£¨šÂµ¾ ³

Discussion in 'Malware and Virus Removal Archive' started by mailman, 2005/08/11.

  1. 2005/08/11
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Upon perusing through my registry I discovered a strange (encrypted?) key:
    HKEY_CURRENT_USER\Software\¬â„¢â€¹Ë†Å¾Å¡£²â€¹â€œÅ¾£¨Å¡µ¾³

    I attached a .GIF of the key and subkey "folders ".

    Is this normal or should I have reason for concern? What exactly is it or what could it be? If unknown, how might I find out what it is?

    My OS is Win XP SP2 with latest updates (as of yesterday afternoon).
     
    Last edited: 2005/08/11
    mailman,
    #1
  2. 2005/08/11
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    That's a $64,00 question :D

    It may be legit - on the other hand it may not - have you any software installed either called DevCenter or which includes DevCenter - not much on Google on this of relevance. It is not 'normal' in that it does not appear to be related directly to Windows.

    It may be a corrupted Registry entry, but on the other hand it might be malware.

    A Google search for HKEY_CURRENT_USER\Software\¬â„¢â€¹Ë†Å¾Å¡£²â€¹â€œÅ¾£¨Å¡µ¾ ³
    is 'interesting' to say the least.

    As there is doubt over this there are several courses of action you might take .....

    If you have not already done so run Spybot and Ad-Aware and download Ewido and run the trial and see if anything comes up.

    The sledgehammer approach is to export the entire string from the registry and then delete it from the registry, reboot and see what piece of software no longer works. You can always merge the deleted string back into the registry if necessary.

    Will be interested to see what others view on this is.

    Final course of action - download HijackThis through Quicklinks in my signature, save it to a folder on your drive, say C:\HJT - not the desktop or a temporary folder, run it and post the log here.
    Yes - you will not see the attachment in Preview Post, but it should be listed in the Attach files box below the message pane. You must post the thread in order to see the thumbnail.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2005/08/11
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Thanks, Pete.

    I added images to the first post and I'm adding images of the rest of the subkey data to this post.

    I have scanned with several anti-malware programs (Spybot, Ad-Aware Pro, Microsoft AntiSpyware, Spy Sweeper, Trojan Hunter, NAV, and Trend Micro Europe online) but have yet to scan with Ewido. :)

    I have looked over my HJT log and nothing appears to me to be wrong (as far as I can tell anyway).

    I will scan with Ewido and if I come up empty there, I'll try the registry key export/delete you suggest.

    Thanks again.

    Here are the rest of the subkey data images in case they may shed more light for someone...
     
    mailman,
    #3
  5. 2005/08/11
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    If the export/delete of the Registry string fails to resolve anything feel free to post the HJT log for the experts to look at.

    Keep us posted, please.
     
    PeteC,
    #4
  6. 2005/08/11
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    I also Googled the key info and I agree...weird...only 127 or so results and some are dubious, to say the least. :-/

    I DL'd Ewido and will scan shortly.

    I hope I'm not violating protocol too badly by pasting the HJT log now (in case anyone wants to look at it ahead of time).

    Logfile of HijackThis v1.99.1
    Scan saved at 6:15:20 AM, on 8/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\wwSecure.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\Pyrenean\eDexter\eDexter.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Courier Email\Courier.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\OPScan.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xxx.xxx.xxx.xxx/ <--my router's control panel IP (redacted digits)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hardened Hosts, IE Start Page, IE Control Panel Settings via Spybot S&D
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe "
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe "
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .thp: C:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
    O15 - Trusted Zone: http://support.f-secure.com
    O15 - Trusted Zone: http://www.pandasoftware.com
    O15 - Trusted Zone: http://Download.Windowsupdate.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093270777734
    O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC9EBFD1-8406-4327-A016-E03F5EB2987D}: NameServer = 209.153.128.4,169.207.1.3
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
     
    mailman,
    #5
  7. 2005/08/11
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    No problem :)
    To my (inexperienced) eye on HJT logs nothing stands out, but the experts may notice something.

    Now that you have posted an HJT log I have moved your thread to the Removing Spyware & Viruses forum - std BBS procedure.
     
    PeteC,
    #6
  8. 2005/08/11
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Thanks again, Pete. I have studied other people's HJT logs a few times along with my own over the past several months and I'm getting more familiar with them. It would be reassuring to get an "It's OK" from one of the experts though just to be certain. However, I know they're busy so I won't complain if I don't get any response about my HJT log.

    I searched my computer ( "All files and folders ") for devcenter and found nothing.

    I installed Ewido (without installing Background Guard) and ran a full scan after updating the definitions. Ewido flagged one file contained in a "Network Tracer" ZIP file I downloaded last December...

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 7:50:01 AM, 8/11/2005
    + Report-Checksum: E9F93E4B

    + Scan result:

    C:\DL\Downloads\Network Tracer\2004-12-31\nc111nt.zip/nc.exe -> Trojan.Shell3hd : Cleaned with backup


    ::Report End

    I have another nc.exe contained in a "trace.zip" file (which TH has flagged as RiskWare) but Ewido ignores. I think I ran nc.exe in one of my tinkering moods around January 1 but I can't be certain which nc.exe I ran.

    I don't remember where I got those files from.

    I will try the registry key export/delete next and see if my machine burps in the next few days.

    I will post immediately if something breaks (if it doesn't hose my computer). Otherwise, I'll post back sometime in the next week or so to bring closure to the thread.
     
    mailman,
    #7
  9. 2005/08/12
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    I deleted the registry key and my computer has been working well. Therefore, you may close this thread.

    If I need the thread opened again, I'll let you know.

    Thanks again, Pete.
     
    mailman,
    #8
  10. 2005/08/12
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Glad to hear that there are no apparent ill effects :) Don't lose the backup of that key!

    Posts are closed automatically after a set period of time (3 months?) - after that you will need to start a new thread.
     
    PeteC,
    #9

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...