Re: blank value when it should read "value not set"

In microsoft.public.win2000.registry
KnowWhen2HoldemKnowWhen2Foldem wrote:

A couple of days ago I had the misfortune to click on a web site
which had "Download.Trojan" embedded in a picutre file called
"IE0601e(1)wmf". The website for this picture was a untraceable
website in Russia which was traceced through a supposed
legitimate server in Amsterdam. Norton AV immediately notified
me of this attempt to install the trojan, however, I do not
knonw whether the quarantine contained the trojan as I could not
examine the file nor confirm its deletion. I had to deinstall
Norton which told me it deleted the quarantined file. I then
reinstalled and ran a scan with the latest signature and no
trojan was found. However, I was examining my startup files and
ran across the following startup item;

a blank "startup item"
a blank "command"
the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I then went to the Run key and found a number of startup items
that were correct but one startup that seemed to correspond with
this blank startup item in the (default) key:

(Default) REG_SZ
There is no (value not set) under the data type.

Examining the binary for data shows:
0000 00 00 ..

Attempts to reset the value to "(value not set)" failed.

Delete it. "(Default)"
The system will "re-create" "default" as un-set.
Also known as "<no name>"

There was the same problem for the heirarchial registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\


The only key in this sequence that has the correct name, type
and data is the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

This shows:
(Default) REG_SZ (value not set)
The Binary for data shows:
0000


Is this an acceptable variant for WinXP registry or does it
indicate some sort of registry problem possibly secondary to the
trojan or other virus?


("value not set") means just that, never been set to anything.
Realize that this is an artifact of the registry tool in part.
Some tools will simply not display anything at all for this un-set
state.


I suggest you research details about the Trojan which most often
includes the registry and files changes attempted.
.

Relevant Pages

  • Re: System Tray
    ... When I click the icon ... I have tried to contact those at the website but no joy. ... To eliminate a non malware program from running at startup the first step ... Make sure you have a backup of the registry using a program like ERUNT ...
    (microsoft.public.windowsxp.general)
  • Re: ERROR!!!
    ... It's possible that the file was damaged and the trojan is failing to load ... on this system) or that your antivirus program neutered the file but didn't ... remove the RUN key in registry that loads this file at startup. ... Below is a link to a page at one antivirus company's website that talks ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Starp up sequence
    ... >> RunServicesOnce ... >> User Profile Startup Folder ... >> the programs specified in the Computer Configuration setting just before ... >> AppInit_DLLs Registry value. ...
    (microsoft.public.windowsxp.customize)
  • NewestShareware.com Issue #89
    ... FileBoss for Windows ... Program Homepage/Download url ... In general users make a program execute at window startup by ... Adding programs to the Registry and WIN.INI file protects the program. ...
    (comp.software.shareware.announce)
  • reply
    ... >tried deleting it from the msconfig Startup tool system, ... neither the listed name or command line name ... First, ME comes with a registry backup application, try ... folder temporarily by using attrib.exe: ...
    (microsoft.public.security.virus)