For the life of me, I can't find the service or program that keeps installing itself after deletion from Windows XP (Pro, w/ svc pack 3) registry...
Does anyone here know of software called "Rabia" (that's the local machine key), with 2 sub-keys, "CodV4Q==", and "DYNV4Q==" containing binary data?
My virus/trojan/spybot detectors have found nothing, so I'm stumped.
After deletion, these entries appear immediately after a re-boot.
Thanks for your help.
Don in Oakland
Rodney, I appreciate the suggestion, but I'd like to go deeper than your Latin phrase.
I DID purchase the latest ver of MalwareBytes, and and it let my suspect entry pass. I'm still curious to know what the heck this is when there are NO links to it on the web.
Have you tried sysinternals autoruns.exe ? They have a great set of tools if you can still find them. Microsoft bought them a few years ago and renamed it wininternals. If you can't find the tools there is a copy on my server at:
Great suggestion, Rodney. I am well familiar w/ their tools (purchased some before acquisition by MS), but thought, perhaps mistakenly, that AntiVir, ClamWin, and Avira would do the job. I stay away from system hogs like MacAfee and Norton AV. I'm sure my copy of SysInternals is real old, so thanks for the link.
Call of Duty game? Rabia is middle-eastern name.
Anyway, from Winternals get Process Monitor. Start it, set it to boot log via Options, then restart your sys after deleting that key. Open PM and stop the logging, then search for that key and see what created it.
The SysInternals procmon.exe did the trick. Thanks a heap (as opposed to a stack!) gerbil.
Turns out, a powerful utility I purchased/installed a long time ago, Leadtools' ePrint5, calls the "Rabia" software to create two keys and then initialize their print spooler. Not too long ago, very few applications could create a .pdf, but ePrint works as a spooler engine (print an image from any running program).
Now, we can put my paranoia to rest. Kinda weird, isn't it, that this could not be found at all by the mighty Google.
Mystery solved, we can close this thread now, thanks to everyone who responded.