Unknown Registry Entry

Does anyone know why this subkey in HKEY_CURRENT_USER would be here.

OH
HO `/'e' [looks something like that] type: REG_BINARY Data: 2c 00 00 00 00 00 00 00 00 01 ff(20 f's)

then if you hover the mouse over the value it keeps going 04 04 04.............................................

All the other keys HKCR, HKLM, HKU and HKCG, Name=Default/ Type=REG_SZ/ Data=Value not set.

HKEY_CURRENT_USER....... The only key that has two entries all the other keys have one( default)

I don't ever remember this key being their and I didn't put it their.

If this helps any the HO `/'e' ( this might be a /r' ) I can't tell it is written really funny.

Whatever this entry is...... so far it's changed all my folders.

My anti-virus(Avg) not finding anything.... Online scans negative.

Spyware scans are negative, Windows Defender didn't flag anything.

Checked registry entry.... run, run once, run ex...... disabled.

Scanned with hijack this last night didn't see anything that changed from the
last time I scanned...... No new entries added.

If this is a virus or malware, so far every scan I run is negative.

The last time I had a virus was 3 years ago and the anti-virus caught it.

The machine is up to date with all the latest definitions, all critical updates
applied, anti-virus and spyware all up to date.

When I log out in a few minutes, I'm going to run more online scans.

Checked Google, snap, ChaCha and a few others, so far nothing.

Would one of the moderators..... Please move Unknown Registry Entry
to the spyware forum.

Since my last post.....Windows was asleep and I was doing something around the house and I heard the hard drive kick in which woke Windows up.

When I seen the red light on, I opened up active ports.

Their was an entry from Remote IP 80.86.106.67 using port 80

Traced IP came back to Ripe Networks.

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2005-07-27

Would of added this post to previous one but could not edit last post.

Thanks

Checked forum to see if anybody replied to Unknown Registry Entry.

I was really surprised to see I had the option to edit the post, so I typed out my information and entered the reason in the box for editing the post and hit the save button, I thought the info that took 20 minutes to enter would just be added to my previous post.... No such luck..... message came up on screen I didn't have permission and should refresh the browser and login. I don't know why the edit button was visible to me because I'm not a moderator and the message was posted yesterday, so I should not of been able to use this option and losing everything I wrote confirms this.


Name Type Data

(ab) [Default] REG_SZ (value not set)

(OH) ¼ž¹ REG_BINARY 2c 00 00 00 00 00 00 00 01
(HO)

after the 01 00 00 00 ff ff ff ff ff ff ff ff ff ff ....

I thought the letter was a small ' e ' or ' r ' but when I right clicked the entry to modify, I got a good look at the letter and it is a ' z ' with the fraction in front 1/4.

This is the key I'm trying to find out about, so far searching on the Internet proved futile.

Should I delete this entry.... losing more and more control of the system can not right click on anything anymore since doing it in the registry. Windows seems to be going " down hill " fast.

Hkey_Current_User........ Name = ¼ž¹

Type = Reg_Binary

Data = Value = 0000 2C 00 00 00 00 00 00 00 ........
0008 01 00 00 00 FF FF FF FF ....yyyy
0010 FF FF FF FF FF FF FF FF yyyyyyyy
0018 FF FF FF FF 04 00 00 00 yyyy....
0020 16 00 00 00 FF 01 00 00 ....y....
0028 27 01 00 00 ' ..

Sorry I wasn't watching this thread.

I would suggest posting a new thread in the HijackThis section with log if you think that would help.

I will move this one if you want but in all honesty it is a bit confusing as it is.

Maybe this will help, all my registry keys are default.

This key HKCU, should be listed as being default their should be no subkey
much less one in binary, I don't know why this one is their and all my scans
come up ok, even the online ones.

Registry

Name = default

Type = Reg_Sz

Data = value not set

This is what all registry keys were last week, except HKCU changed and a second entry was added.

I was trying to find out if anyone in the forum knew what this entry was.

I ran hijack this 3 weeks ago before this entry was added and everything was ok, running it last night didn't show any change from 3 weeks ago.

Trying to find info.... OH/HO ¼ž¹ thought maybe you guys came across this entry .

Hope this helps

The furthest I've gotten in searching is this:

http://www.google.com/search?hl=en&s...9+&btnG=Search

¼ž¹ just brings up PDF pages of mathematical proofs.

Will keep looking.

You might want to ask over in the HijackThis section just in case they have seen something similar.

Have you run a registry cleaner?

Or perhaps this Optimizer.

Thats the kind of sites I get to when searching for that entry.

Tomorrow going to send in a highjack log, so if you wouldn't mind please move
this thread to the spyware forum.

I would really like to delete the entry because I think it is malware or spyware but I know it's in other places and I want to delete the whole thing, but I don't know what the heck it is.

I guess now would be a good time to post a hijack log even though I ran a scan about 3 weeks ago when nothing was wrong and I ran a scan last night
and nothing different has showed up in the logs, but I'm not a expert hgt log
reader. Microsoft had updates out last night and I installed them last night only tonight at 11:55pm their was another update out malicious software removal tool, I guess they forgot to put it in with the other updates scanned
machine but didn't find anything.

I use two reg. cleaners.... RegSeeker & RegScrub.

Thanks for the help.

Would you please take a look at my hijack log to see if their is anything bad.

Their is a entry 014 > IERESET.INF: SearchAssistant=

I have deleted this entry 30 times using hijack and as soon as I confirm the deletion in hijack and then run a scan it's back. The program hijack says the entry has been deleted. I don't think it's to bad because the machine runs good and this entry has been on my machine for over 4 years.

In my registry when you click on a key HKCR, HKLM, HKU and HKCG. they all say Name=Default/ Type=REG_SZ/ Data=Value not set except when I click on Hkey_Current_User their is a subkey listed.... Name = ¼ž¹, type = Reg_Binary.
Since this entry showed up last week my folders have been changed, mouse is doing weird things and windows is starting to go downhill fast.

Logfile of HijackThis v1.99.1
Scan saved at 10:50:11 PM, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121819275437
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://cams.salden.nl:4444/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://msdn.demoservers.com/msrdp.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

THere are no obvious issues in your posted HijackThis LOG.



Your best option may be to try a system restore point (if available) to a date before any known problems or before you started performing any recent fixes?

Click on Start>All Programs>Accessories>System Tools>System Restore.

Check Restore my computer to an earlier date> Click Next.

Choose the date before you performed any recent fixes and click Next and Next again.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.