Worm ...spyware ?

[sgrbrlnd]

I've a lot  of  these "PerUser .........."  in the registry  ! Do you know them ?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\PerUser_ICW_Inis]
"IsInstalled"=hex:00,00,00,00
"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\\WINDOWS\\INF\\icw97.inf"

[Eddy]

HKEY_LOCAL_MACHINE\SOFTWARE

The settings for all installed 32-bit software and .INI files for applications are listed in this key. The items included vary, depending on the software installed. Control functions for those applications are listed in the many subkeys located here. Most of the subkeys exist simply to provide a version number for the installed software.


ICW is normally short for Internet Connection Wizzard.

If you look at the content of icw97.inf, it may tell you more.

[sgrbrlnd]

If you look at the content of icw97.inf, it may tell you more.

Thanks a lot, it seems you have a very good  knowledge about this stuff ! I had looked to this file ..... with little results !
Can you see this file ?

[version]
LayoutFile=layout.inf,layout1.inf,layout2.inf
signature="$CHICAGO$"
SetupClass=BASE
[BaseWinOptions]
msicw.reg
[msicw.reg]
DelFiles=DeleteICW2,DeleteICW3
CopyFiles=CopyINF,CopySYS,CopyICW,CopyHELP
UpdateInis=UPD.Links
PerUserInstall=ICW.links.pui
AddReg=MSICW.RegEntries,MSICW.RegOLEObjects
[DestinationDirs]
CopyHELP    = 18                               
CopySYS     = 11                               
CopyINF     = 17                               
CopyICW     = 29400
DeleteICW2  = 24,%ProgramFiles%\%OLD_ICWDIR%
DeleteICW3  = 29400
[CopySYS]
icfg95.dll,,,32
inet16.dll,,,32
icwscrpt.exe,,,32
inetcfg.dll,,,32
icwdial.dll,,,32
icwphbk.dll,,,32
isign32.dll,,,32
[CopyICW]
icwconn1.exe,,,32
icwconn2.exe,,,32
inetwiz.exe,,,32
isignup.exe,,,32
icwtutor.exe,,,32
icwhelp.dll,,,32
icwconn.dll,,,32
icwutil.dll,,,32
icwres.dll,,,32
icwrmind.exe,,,32
trialoc.dll,,,32
icwdl.dll,,,32
icwx25a.dun
icwx25b.dun
icwx25c.dun
icwip.dun
phone.icw
phone.ver
state.icw
msicw.isp
msn.isp
support.icw
[CopyINF]
icw97.INF
[CopyHELP]
connect.hlp
connect.cnt
icwdial.chm
[DeleteICW2]
icwconn1.exe
icwconn2.exe
inetwiz.exe
isignup.exe
icwdl.dll
icwx25a.dun
icwx25b.dun
icwx25c.dun
icwip.dun
phone.icw
state.icw
msicw.isp
msn.isp
support.icw
[DeleteICW3]
icwconn1.exe
icwconn2.exe
inetwiz.exe
isignup.exe
icwdl.dll
icwx25a.dun
icwx25b.dun
icwx25c.dun
icwip.dun
phone.icw
state.icw
msicw.isp
msn.isp
support.icw
cns.gif
nocns.gif
progress.gif
sidebar.gif
connwiz.htm
cwizfram.htm
cwizintr.htm
[Uninstall]
UpdateInis=Uninstall.UPD.Links
[ICW.links.pui]
GUID = "PerUser_ICW_Inis"
IsInstalled = 0
StubPath = "rundll.exe %11%\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 %17%\icw97.inf"
[PerUser_ICW_Inis]
UpdateInis  =UPD.Links
[UPD.Links]
setup.ini, progman.groups,,"ICW11=%PGMGRP%"
setup.ini, ICW11,,""%PGMITEM_ICW%","%29402%\ICWCONN1.EXE",,,,,,%ICW_INFOTIP%"
setup.ini, progman.groups,,"ICW10=%PGMDEL%"
setup.ini, progman.groups,,"ICW30=%PGMDEL3%"
setup.ini, ICW10,,""%ITEMDEL_INETWIZ%"",,,
setup.ini, ICW10,,""%ITEMDEL_GETON%"",,,
setup.ini, ICW10,,""%PGMITEM_ICW%"",,,
setup.ini, ICW30,,""%ITEMDEL_GETON3%"",,,
[Uninstall.UPD.Links]
setup.ini, progman.groups,,"DESKTOP=""..\..\%SHARED_DESKTOP%"""
setup.ini, progman.groups,,"DESKTOP98=""..\..\%SHARED_DESKTOP98%"""
setup.ini, DESKTOP,,"""%ITEMDEL_GETON3_DESKTOP%""",,,
setup.ini, DESKTOP98,,"""%ITEMDEL_GETON3_DESKTOP%""",,,
[MSICW.RegEntries]
HKCR,.ins,,0,x-internet-signup
HKCR,.ins,"Content Type",0,application/x-internet-signup
HKCR,.isp,,0,x-internet-signup
HKCR,.isp,"Content Type",0,application/x-internet-signup
HKCR,x-internet-signup,,0,"Internet Communication Settings"
HKCR,x-internet-signup,EditFlags,1,00,00,00,00
HKCR,x-internet-signup\Shell,,0,""
HKCR,x-internet-signup\Shell\Open,EditFlags,1,01,00,00,00
HKCR,x-internet-signup\Shell\Open\command,,0,""""%29401%\ISIGNUP.EXE""" %%1"
HKCR,x-internet-signup\DefaultIcon,,0,"%29401%\ICWCONN1.EXE,0"
HKCR,"MIME\Database\Content Type\application/x-internet-signup",Extension,0,.ins
HKLM,"%KEY_ICW%",Version,,"%Version%"
HKLM,"%KEY_ICW%",InstallationDirectory,,"%29401%"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\ICWCONN1.EXE",,,"%29401%\ICWCONN1.EXE"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\ICWCONN1.EXE","Path",,"%29401%;"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\ICWCONN2.EXE",,,"%29401%\ICWCONN2.EXE"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\ICWCONN2.EXE","Path",,"%29401%;"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\ISIGNUP.EXE",,,"%29401%\ISIGNUP.EXE"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\ISIGNUP.EXE","Path",,"%29401%;"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\INETWIZ.EXE",,,"%29401%\INETWIZ.EXE"
HKLM,"Software\Microsoft\Windows\CurrentVersion\App Paths\INETWIZ.EXE","Path",,"%29401%;"
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","(Default)",,"Internet Connection Wizard"
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","ComponentID",,"ICW"
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","IsInstalled",1,01,00,00,00
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","Locale",,"%LOCALE_ICW%"
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","Version",,"%Version%"
HKLM,%KEY_RENAME%\ReadFiles,,,%29402%
HKLM,"Software\Microsoft\Internet Connection Wizard","Release Product",,"Memphis"
HKLM,"Software\Microsoft\Internet Connection Wizard","Release Product Version",,"4.1"
HKLM,"Software\Microsoft\Internet Connection Wizard","Default Product Code",,"DESKTOP"
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}",,,"Internet Connection Wizard"
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","Version",,"5,0,3721,800"
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","Locale",,%LOCALE%
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","IsInstalled",1,01,00,00,00
HKLM,"Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}","ComponentID",,"ICW_Win"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Uninstall\ICW",,,""
HKLM,"Software\Classes\Licenses",,,"Licensing: Copying the keys may be a violation of established copyrights."
HKLM,"Software\Classes\Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905",,,"aahakhchghkhfhaamghhbhbhkbpgfhahlfle"
[MSICW.RegOLEObjects]
HKLM,%KEY_RUNONCE%,"^Register_ICW_Apprentice",,"%11%\regsvr32.exe /s %11%\inetcfg.dll"
HKLM,%KEY_RUNONCE%,"^Register_ICW_TrialOC",,"%11%\regsvr32.exe /s %29400%\trialoc.dll"
HKCU,%KEY_RUNONCE%,"^SetupICWDesktop",,"%29402%\icwconn1.exe /desktop"
[Strings]
KEY_RENAME        = "Software\Microsoft\Windows\CurrentVersion\RenameFiles"
KEY_ICW           = "SOFTWARE\Microsoft\Internet Connection Wizard"
KEY_OLD_ICW       = "SOFTWARE\Microsoft\ICW"
KEY_IEDIR         = "SOFTWARE\Microsoft\IE4\Setup"
KEY_PROGRAM_FILES = "SOFTWARE\Microsoft\Windows\CurrentVersion"
KEY_RUNONCE       = "Software\Microsoft\Windows\CurrentVersion\Runonce"
VALUE_ICW_INSTALL = "InstallationDirectory"
Version           = "1.10"
ICWNAME           = "Internet Connection Wizard"
ProgramFiles    = "Progra~1"
OLD_ICWDIR      = "ICW-In~1"
SHARED_DESKTOP         = "Desktop"
SHARED_DESKTOP98       = "All Users\Desktop"
PGMGRP                 = "Accessori\Comunicazioni"
PGMITEM_ICW            = "Connessione guidata Internet"
PGMDEL                 = "Accessori\Accesso a Internet"
PGMDEL3                = "Internet Explorer"
ITEMDEL_INETWIZ        = "Installazione guidata Internet"
ITEMDEL_GETON          = "Connessione guidata Internet"
ITEMDEL_GETON3         = "Connessione guidata"
ITEMDEL_GETON3_DESKTOP = "Connessione a Internet"
LOCALE                 = "IT"
ICW_INFOTIP            = "Configura il computer per l'accesso a Internet"

[Eddy]

Have a look at (lets say) the last 20 lines or so.
It is indeed related to the ICW.
So leave the keys as they are.

If you are interested in the registry:
- click on the link in my signature
- visit the download section
- get the Windows registry manual/tutorial

It may have some interesting information for you.

EDIT:
Be carefull with the registry. Messing it up is easy, fixing it may become very hard.

[sgrbrlnd]

Have a look at (lets say) the last 20 lines or so.
It is indeed related to the ICW.
So leave the keys as they are.

If you are interested in the registry:
- click on the link in my signature
- visit the download section
- get the Windows registry manual/tutorial

It may have some interesting information for you.

EDIT:
Be carefull with the registry. Messing it up is easy, fixing it may become very hard.

Then you too have these entries in your system .....?

[Eddy]

No I don't have them.
I use Linux

[sgrbrlnd]

ah.......I'm about to pass  to linux ...but I 've problems with  my usb modem .
Thanks again .