A couple of days ago I had the misfortune to click on a web site which had
"Download.Trojan" embedded in a picutre file called "IE0601e(1)wmf". The
website for this picture was a untraceable website in Russia which was
traceced through a supposed legitimate server in Amsterdam. Norton AV
immediately notified me of this attempt to install the trojan, however, I do
not knonw whether the quarantine contained the trojan as I could not examine
the file nor confirm its deletion. I had to deinstall Norton which told me
it deleted the quarantined file. I then reinstalled and ran a scan with the
latest signature and no trojan was found. However, I was examining my
startup files and ran across the following startup item;

a blank "startup item"
a blank "command"
the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I then went to the Run key and found a number of startup items that were
correct but one startup that seemed to correspond with this blank startup
item in the (default) key:

(Default) REG_SZ
There is no (value not set) under the data type.

Examining the binary for data shows:
0000 00 00 ..

Attempts to reset the value to "(value not set)" failed.

There was the same problem for the heirarchial registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\


The only key in this sequence that has the correct name, type and data is
the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

This shows:
(Default) REG_SZ (value not set)
The Binary for data shows:
0000


Is this an acceptable variant for WinXP registry or does it indicate some
sort of registry problem possibly secondary to the trojan or other virus?

In microsoft.public.win2000.registry
KnowWhen2HoldemKnowWhen2Foldem wrote:

> A couple of days ago I had the misfortune to click on a web site
> which had "Download.Trojan" embedded in a picutre file called
> "IE0601e(1)wmf". The website for this picture was a untraceable
> website in Russia which was traceced through a supposed
> legitimate server in Amsterdam. Norton AV immediately notified
> me of this attempt to install the trojan, however, I do not
> knonw whether the quarantine contained the trojan as I could not
> examine the file nor confirm its deletion. I had to deinstall
> Norton which told me it deleted the quarantined file. I then
> reinstalled and ran a scan with the latest signature and no
> trojan was found. However, I was examining my startup files and
> ran across the following startup item;
>
> a blank "startup item"
> a blank "command"
> the following location:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
> I then went to the Run key and found a number of startup items
> that were correct but one startup that seemed to correspond with
> this blank startup item in the (default) key:
>
> (Default) REG_SZ
> There is no (value not set) under the data type.
>
> Examining the binary for data shows:
> 0000 00 00 ..
>
> Attempts to reset the value to "(value not set)" failed.

Delete it. "(Default)"
The system will "re-create" "default" as un-set.
Also known as "<no name>"

> There was the same problem for the heirarchial registry keys:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
> HKEY_LOCAL_MACHINE\SOFTWARE\
>
>
> The only key in this sequence that has the correct name, type
> and data is the
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>
> This shows:
> (Default) REG_SZ (value not set)
> The Binary for data shows:
> 0000
>
>
> Is this an acceptable variant for WinXP registry or does it
> indicate some sort of registry problem possibly secondary to the
> trojan or other virus?


("value not set") means just that, never been set to anything.
Realize that this is an artifact of the registry tool in part.
Some tools will simply not display anything at all for this un-set
state.


I suggest you research details about the Trojan which most often
includes the registry and files changes attempted.