sys.reg file found on client machine

Discussion in 'Spyware' started by na, Apr 11, 2004.

  1. na

    na Guest

    I found this sys.reg file (along with it being run in the registry). Any
    ideas what this was or where it came from? Spybot and ad aware did not
    detect it.

    Below is the contents of the sys.reg file

    ----------------------------------------------------------------------------
    ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SystemSearch"="REGEDIT.EXE -s C:/WINDOWS/sys.reg"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mhtml]
    @=" "
    "CLSID"=" "

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
    "SearchURL"="http://www.i--search.com/ie/"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Use Search Asst"="no"
    "Use Custom Search URL"=dword:00000001
    "Default_Search_URL"="http://www.i--search.com/ie/"
    "Search Page"="http://www.i--search.com/ie/"
    "Search Bar"="http://www.i--search.com/ie/"
    "SearchURL"="http://www.i--search.com/ie/"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.i--search.com/ie/"
    "CustomizeSearch"="about:blank"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.i--search.com/ie/"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Search Page"="http://www.i--search.com/ie/"
    "Default_Search_URL"="http://www.i--search.com/ie/"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,30,00,00,00,1b,00,00,0
    0,\

    64,00,00,00,01,00,00,00,a0,06,00,00,e9,02,00,00,05,00,00,00,62,04,00,00,26,\

    00,00,00,02,00,00,00,a1,06,00,00,f7,02,00,00,04,00,00,00,a1,00,00,00,11,03,\

    00,00,03,00,00,00,a9,02,00,00,0b,03,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

    00,00,00,00,00,00,00,00,00,00,00,00,01,24,d0,30,81,6a,d0,11,82,74,00,c0,4f,\
    d5,ae,38,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
     
    na, Apr 11, 2004
    #1
    1. Advertisements

  2. http://www.sophos.com/virusinfo/analyses/trojseekerf.html

    is your friend
     
    Glenn Banwell, Apr 11, 2004
    #2
    1. Advertisements

  3. na

    Aaron HULETT Guest

    We should see this. Were you using the latest reference file with our full
    scan settings at http://www.lavahelp.com/howto/fullscan ?

    Thanks,

    Aaron
     
    Aaron HULETT, Apr 11, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.