-=PCTechTalk=- Re: PC Remote Control

Whoa!!  Are you suggesting I go into the dreaded, scary registry??  I have 
been "programmed" to never mess with the registry.
Just in case I find the courage, how do I "open up the editor"?
Sandi
----- Original Message ----- 
From: "GMan" <gman.pctt@xxxxxxxxx>
To: <pctechtalk@xxxxxxxxxxxxx>
Sent: Thursday, March 27, 2008 7:12 PM
Subject: -=PCTechTalk=- Re: PC Remote Control


> Hi Sandi,
>    The fact that this file is 0 bytes tells me more than all of the other
> stuff combined.  Either the file acts as a shortcut to another executable
> (.exe, .com, .bat, etc.) or it's absolutely worthless.  The registry key
> info you've provided further tells us that this file calls Windows' Common
> Dialog ActiveX control (ComDlg32) in order to record some aspect of your
> computing activities (MRU stands for 'Most Recently Used') somewhere. 
> This
> does not necessarily indicate a spyware manifestation.  The Common Dialog
> control provides a standard set of dialog boxes for operations such as
> opening and saving files, setting print options, and selecting colors and
> fonts that ships with Visual Basic (VB) 5.0, which is used by program
> developers specifically licensed to create apps with VB5.  In most cases,
> Windows uses the info to remember things like the last location you used 
> to
> save a downloaded file of a specific type.  This is why different Save To
> locations open when you save a JPG image file verses an EXE type file.
>
>    To figure out if the file actually belongs to something else (benign or
> malicious), run a registry search for the filename ("PC Remote 
> Control.exe")
> and see what kind of results you get.  The trick with Reg searches is to
> open up the editor, press F3, type in the term and tell it to search.  It
> will stop when it locates its first hit.  Investigate the hit and then 
> press
> F3 to resume the search.  Eventually, pressing F3 will produce a "You've
> reached the end of the registry" message which tells you that you've seen
> all instances of the search term.
>
>    By "investigate the hit", I mean take a look inside any related keys
> that are present, too.  For example:
>
> http://www.itemuk.com/screens/standalone.jpg
>
>    In this image, the registry is opened to a key called "3.03", but it is
> obviously related to its parent key ("Item Toolkit") and its parent's 
> parent
> key ("Item Software").  My suggestion is to take a look inside both of 
> those
> to see if they provide any additional info you can use to determine the
> purpose of this "PC Remote Control" file.  If there are other keys at the
> same level as the hit, check those out as well.
>
>    Also keep in mind that you only need to investigate long enough to gain
> a clear understanding of the purpose of the file.  If that is satisfied by
> the first hit, there is no real reason to continue looking for more of 
> them.
> Of course, if you're not 100% sure of your understanding, don't stop 
> looking
> until you are.     lol
>
> Peace,
> G
>
> http://tinyurl.com/ypbuue
>
> "The only dumb questions are the ones we fail to ask!"
>
> ----- Original Message ----- 
> From: "Sandi Beach" <sandib2@xxxxxxxxx>
> To: <pctechtalk@xxxxxxxxxxxxx>
> Sent: Thursday, March 27, 2008 3:35 PM
> Subject: -=PCTechTalk=- Re: PC Remote Control
>
>
>>I found I could run an analysis of the file so I did that, copied report 
>>to
>> the clip board and now will paste it here:
>>
>> Analyzing file C:\PC Remote Control.exe
>>
>> File size: 0
>>
>> File MD5: 00000000000000000000000000000000
>>
>>
>> Scanning Registry:
>>
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\e
>> C:\PC Remote Control.exe
>>
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\c
>> C:\PC Remote Control.exe
>>
>> Done
>>
>> Does this help you to tell me if this is a legitimate threat?
>>
>> Sandi
>
>
> ---------------------------------------------------------------
> Please remember to trim your replies (including this sentence and 
> everything below it) and adjust the subject line as necessary.
>
> To unsubscribe or change your email settings:
> http://www.freelists.org/webpage/pctechtalk
>
> To access our Archives:
> http://groups.yahoo.com/group/PCTechTalk/messages/
> http://www.freelists.org/archives/pctechtalk/
>
> To contact only the PCTT Mod Squad, write to:
> pctechtalk-moderators@xxxxxxxxxxxxx
> ---------------------------------------------------------------
>
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.519 / Virus Database: 269.22.0/1343 - Release Date: 3/25/2008 
> 7:17 PM
>
> 


---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything 
below it) and adjust the subject line as necessary.

To unsubscribe or change your email settings:
http://www.freelists.org/webpage/pctechtalk

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/

To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
---------------------------------------------------------------

Other related posts: