Suspicious Registry Entries?


Recommended Posts

The following are showing up in my registry and even after Googling them I don't know if they are good or bad. Any ideas? Thanks!

HKLM\Software\C07ft5Y\WinXP

C07ft5Y reads:

(Default) REG_SZ SafeDisc RefCount

WinXP reads:

(Default) REG_SZ

HKLM\CoreSecurity\DriverInfo6\Drivers

CoreSecurity and DriverInfo6 read:

(Default) REG_SZ (value not set)

Drivers reads:

(Default) REG_SZ (value not set)

sysTmcowjw REG_Binary ad af af a9 ae ad ae ad ad ac ac ad ae a7 9f

vid REG_SZ

Link to comment
Share on other sites

HKLM\Software\C07ft5Y\WinXP

This one I have too. I found out that it's put there by Windows, so I guess it's "good". The other one, I'm not sure of.

Link to comment
Share on other sites

I have already read anything and everything found by Googling including that web page. That doesn't answer my question, but thanks anyway. :)

What is this? HKLM\Software\C07ft5Y\WinXP

.... and why would it be installed with XP even on a clean installation? The name alone looks suspicious and it's odd that no one seems to be able to give a more detailed explanation. I even checked the Microsoft website without any results. If it was theirs you would think that there would be some sort of information on their support site about it. :huh:

Link to comment
Share on other sites

If you are that worried about it. Delete it and see if you can find what doesn't work. (I'm not responsible if you actually try this). If it's supposed to be there, there is no point of losing sleep over it. I'm sure there are ton's of keys that look suspicious that no one but the developers can explain.

Link to comment
Share on other sites

Yes, it comes on a clean installation and it's certainly not malicious. It's used by SafeDisc, which is a copy-protection scheme used by many games and software, using the driver secdrv.sys. It's made by Macrovision Corp., and is included in Windows XP by default - a lot of Microsoft games themselves use SafeDisc protection, for eg, Age of Empires. If you have AoE2 installed, it'll create subkeys like "Empires2" and "Age2_x1".

Yes, it's totally safe to delete the reg key, but in all probability, whenever you play a SafeDisc game or install a SafeDisk protected software, it'll be back.

Edited by [deXter]
Link to comment
Share on other sites

Yes, it comes on a clean installation and it's certainly not malicious. It's used by SafeDisc, which is a copy-protection scheme used by many games and software, using the driver secdrv.sys. It's made by Macrovision Corp., and is included in Windows XP by default - a lot of Microsoft games themselves use SafeDisc protection, for eg, Age of Empires. If you have AoE2 installed, it'll create subkeys like "Empires2" and "Age2_x1".

Yes, it's totally safe to delete the reg key, but in all probability, whenever you play a SafeDisc game or install a SafeDisk protected software, it'll be back.

Great, thanks for the closure on that one! :D

Any ideas on this other one?

HKLM\CoreSecurity\DriverInfo6\Drivers

CoreSecurity and DriverInfo6 read:

(Default) REG_SZ (value not set)

Drivers reads:

(Default) REG_SZ (value not set)

sysTmcowjw REG_Binary ad af af a9 ae ad ae ad ad ac ac ad ae a7 9f

vid REG_SZ

Link to comment
Share on other sites

I'm not sure of CoreSecurity, atleast, I have never seen it on any windows installation before, clean or unclean. It's also highly unusual to find it directly in the HKLM key, usually programs never write anything directly under HKLM.

Does this website mean anything to you? http://www.coresecurity.com/

If you're not able to figure it out, I suggest downloading Sysinternals' Process Monitor. Load up Process Monitor and create a filter like this:

Path excludes CoreSecurity then Exclude

So if there's anything at all on your PC that's going to even access this key, you'll know it.

Leave it running for a while, as we don't know when it might be accessed.

What all third party programs are starting at the startup btw? I suggest getting Sysinternals Autoruns. Choose the option "Hide microsoft entries" and re-scan (F5).

Link to comment
Share on other sites

I'm not sure of CoreSecurity, atleast, I have never seen it on any windows installation before, clean or unclean. It's also highly unusual to find it directly in the HKLM key, usually programs never write anything directly under HKLM.

Does this website mean anything to you? http://www.coresecurity.com/

If you're not able to figure it out, I suggest downloading Sysinternals' Process Monitor. Load up Process Monitor and create a filter like this:

Path excludes CoreSecurity then Exclude

So if there's anything at all on your PC that's going to even access this key, you'll know it.

Leave it running for a while, as we don't know when it might be accessed.

What all third party programs are starting at the startup btw? I suggest getting Sysinternals Autoruns. Choose the option "Hide microsoft entries" and re-scan (F5).

No, the website doesn't mean anything to me. I've never seen it before outside of checking it out prior to posting here. I'll look into your other suggestions and get back to you.

Link to comment
Share on other sites

After highlighting the filter and clicking apply Process Monitor just says "current filter excludes all # events". Not sure if this is normal or not.

I have attached a screen shot of the startup info you requested. :)

post-107425-1179025890_thumb.jpg

Link to comment
Share on other sites

You are looking just under "Logon". Did you look under the "Everything" tab?

Also, did you try deleting the reg key? If you do, does it come back, and if it does, when?

Link to comment
Share on other sites

You are looking just under "Logon". Did you look under the "Everything" tab?

Also, did you try deleting the reg key? If you do, does it come back, and if it does, when?

Here is a log of everything from Autoruns:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ Cmaudio CmiCnfg DLL C-Media Corporation e:\windows\system\cmicnfg.cpl

+ HotKeysCmds hkcmd Module Intel Corporation e:\windows\system32\hkcmd.exe

+ HP Software Update Hewlett-Packard Product Assistant Hewlett-Packard Development Company, L.P. e:\program files\hp\hp software update\hpwuschd2.exe

+ IgfxTray igfxTray Module Intel Corporation e:\windows\system32\igfxtray.exe

+ pccguide.exe PCCGuide Trend Micro Inc. e:\program files\trend micro\internet security 2007\pccguide.exe

E:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ Adobe Reader Speed Launch.lnk Adobe Acrobat SpeedLauncher Adobe Systems Incorporated e:\program files\adobe\reader 8.0\reader\reader_sl.exe

+ Adobe Reader Synchronizer.lnk e:\program files\adobe\reader 8.0\reader\adobecollabsync.exe

+ HP Digital Imaging Monitor.lnk HP Digital Imaging Monitor Hewlett-Packard Development Company, L.P. e:\program files\hp\digital imaging\bin\hpqtra08.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ OE Trend Micro Anti-Spam for OE monitor Trend Micro Inc. e:\program files\trend micro\internet security 2007\tmas_oe\tmas_oemon.exe

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

+ 0 File not found: About:Home

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL Extension File not found: deskpan.dll

+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. e:\windows\system32\hticons.dll

+ iTunes iTunes Mini Player DLL Apple Inc. e:\program files\itunes\itunesminiplayer.dll

+ KodakShellExtension Shell Extension Resource DLL Eastman Kodak Company e:\program files\common files\kodak\ifscore\kodakshx.dll

+ TMD Shell Extension Tmdshell Module Trend Micro Inc. e:\program files\trend micro\internet security 2007\tmdshell.dll

+ VBPropSheet VBProp Module Trend Micro Inc. e:\program files\trend micro\internet security 2007\vbprop.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. e:\program files\common files\adobe\acrobat\activex\pdfshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ Adobe PDF Reader Link Helper Adobe PDF Helper for Internet Explorer Adobe Systems Incorporated e:\program files\common files\adobe\acrobat\activex\acroiehelper.dll

+ SSVHelper Class Java 2 Platform Standard Edition binary Sun Microsystems, Inc. e:\program files\java\jre1.5.0_11\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ Windows Messenger File not found: E:\Program Files\Messenger\msmsgs.exe

HKLM\System\CurrentControlSet\Services

+ KodakCCS This provides the best connection from Kodak digital cameras to your computer. It can communicate directly with Kodak EasyShare software. Eastman Kodak Company e:\windows\system32\drivers\kodakccs.exe

+ PcCtlCom Manages components of Trend Micro PC-cillin Internet Security. Trend Micro Inc. e:\program files\trend micro\internet security 2007\pcctlcom.exe

+ Tmntsrv Enables constant monitoring for dangers. Trend Micro Inc. e:\program files\trend micro\internet security 2007\tmntsrv.exe

+ TmPfw Manages the Personal Firewall. Trend Micro Inc. e:\program files\trend micro\internet security 2007\tmpfw.exe

+ tmproxy Manages the Trend Micro Proxy. Trend Micro Inc. e:\program files\trend micro\internet security 2007\tmproxy.exe

HKLM\System\CurrentControlSet\Services

+ cmudax C-Media Audio WDM Driver C-Media Inc. e:\windows\system32\drivers\cmudax.sys

+ DcCam Kodak Digital Camera Driver Eastman Kodak Company e:\windows\system32\drivers\dccam.sys

+ DcFpoint Kodak Digital Camera FP Driver Eastman Kodak Company e:\windows\system32\drivers\dcfpoint.sys

+ DCFS2K Kodak DC File System Driver (NT) Eastman Kodak Company e:\windows\system32\drivers\dcfs2k.sys

+ DcLps Kodak Digital Camera LPS Driver Eastman Kodak Company e:\windows\system32\drivers\dclps.sys

+ DcPTP Kodak Digital Camera PTP Driver Eastman Kodak Company e:\windows\system32\drivers\dcptp.sys

+ Exportit Kodak DC File System driver Eastman Kodak Company e:\windows\system32\drivers\exportit.sys

+ GEARAspiWDM CD/DVD Class Filter Driver GEAR Software Inc. e:\windows\system32\drivers\gearaspiwdm.sys

+ HdAudAddService High Definition Audio Function Driver v1.0 Windows ® Server 2003 DDK provider e:\windows\system32\drivers\hdaudio.sys

+ HDAudBus High Definition Audio Bus Driver v1.0 Windows ® Server 2003 DDK provider e:\windows\system32\drivers\hdaudbus.sys

+ HPZid412 IEEE-1284.4-1999 Driver (Windows 2000) HP e:\windows\system32\drivers\hpzid412.sys

+ HPZipr12 IEEE-1284.4-1999 Print Class Driver HP e:\windows\system32\drivers\hpzipr12.sys

+ HPZius12 1284.4<->Usb Datalink Driver (Windows 2000) HP e:\windows\system32\drivers\hpzius12.sys

+ ialm Intel Graphics Miniport Driver Intel Corporation e:\windows\system32\drivers\ialmnt5.sys

+ iteatapi ITE IT8211 ATA/ATAPI SCSI miniport Integrated Technology Express, Inc. e:\windows\system32\drivers\iteatapi.sys

+ iteraid ITE IT8212 ATA RAID SCSI miniport Integrated Technology Express, Inc. e:\windows\system32\drivers\iteraid.sys

+ MTsensor ATK0110 ACPI Utility e:\windows\system32\drivers\asacpi.sys

+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. e:\windows\system32\drivers\ptilink.sys

+ Secdrv SafeDisc driver e:\windows\system32\drivers\secdrv.sys

+ tmcfw Trend Micro Common Firewall Module 3.2(IM i386-fre) Trend Micro Inc. e:\windows\system32\drivers\tm_cfw.sys

+ tmcomm TrendMicro Common Module Trend Micro Inc. e:\windows\system32\drivers\tmcomm.sys

+ tmmbd Trend Micro Malicious Behavior Detector (i386-fre) Trend Micro Inc. e:\windows\system32\drivers\tm_mbd_c.sys

+ tmpreflt Trend Filter Driver Trend Micro Inc. e:\windows\system32\drivers\tmpreflt.sys

+ tmtdi Trend Micro TDI Driver (i386-fre) Trend Micro Incorporated. e:\windows\system32\drivers\tmtdi.sys

+ tmxpflt Trend Functionality Driver Trend Micro Inc. e:\windows\system32\drivers\tmxpflt.sys

+ vsapint Trend Virus ScanEngine Trend Micro Inc. e:\windows\system32\drivers\vsapint.sys

+ yukonwxp NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller Marvell e:\windows\system32\drivers\yk51x86.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ igfxcui igfxsrvc Module Intel Corporation e:\windows\system32\igfxsrvc.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ HP Standard TCP/IP Port Standard TCP/IP Port Monitor DLL Hewlett Packard e:\windows\system32\hptcpmon.dll

+ LIDIL hpzll054 LanguageMonitor Hewlett-Packard Company e:\windows\system32\hpzll054.dll

No, I didn't delete the registry key. I don't know what it goes to and don't want to mess anything up if it is important.

Link to comment
Share on other sites

Woah! There are 15 modules of Trend Micro in there! That's almost close to Norton (19!).

Anyways, I can't see anything suspicious in there. I still suggest you try and delete that key. To be on the safe side, you can right click on it and do an Export. (before you delete it). If the key was important, you can always get it back by opening that reg file :).

Link to comment
Share on other sites

Woah! There are 15 modules of Trend Micro in there! That's almost close to Norton (19!).

Anyways, I can't see anything suspicious in there. I still suggest you try and delete that key. To be on the safe side, you can right click on it and do an Export. (before you delete it). If the key was important, you can always get it back by opening that reg file :).

It's outta here...and so far nothing has been affected by it that I've noticed. Thanks for the heads up on backing up the registry key. (I should have remembered that, but I will admit to being blonde. LoL) Thanks again for your help Dexter!

Link to comment
Share on other sites

  • 5 months later...
It's outta here...and so far nothing has been affected by it that I've noticed. Thanks for the heads up on backing up the registry key. (I should have remembered that, but I will admit to being blonde. LoL) Thanks again for your help Dexter!

This is actually a product key! When you purchase Trend Micro's Security Suite 2007 it allows you three downloads and this is how it keeps track of which download is on your PC. No biggie for me since I did a registry backup prior to messing with it.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.