Reading mode: Light Dark

.yax file extension - malware?

Go to last post
S

SantaFeBill

Veteran Member
Messages
3,191
Solutions
24
Reaction score
534
Location
Santa Fe, USA, US
On both my and my wife's computer, there are a large number of registry entries that reference files with the extension 'yax'.

These files can't be found with any of the ways that I have to search for files on the hd in WinXP. Also, the registry entries are a string of nonsense syllables - in short, classic symptoms of malware.

I've done extensive searches on the Web, and have only come up with the info that there is an XML extension library called 'YAX'.

But if the registry entries represent something legitimate, why the lengths to hide what's going on? Why would legit apps create registry entries with nonsense strings, and no indication of what apps they're related to?

Here's an example:

Key Name: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Class Name: NO CLASS
Last Write Time: 9/3/2009 - 7:42 PM
Value 0
Name: HRZR_PGYFRFFVBA
Type: REG_BINARY
Data:
00000000 45 68 51 0e 01 00 00 00 - EhQ.....

Value 1
Name: HRZR_EHACVQY:%pfvqy2%\Jvaqbjf Zrqvn Cynlre.yax
Type: REG_BINARY
Data:
00000000 01 00 00 00 13 00 00 00 - 54 87 4f 61 08 2d ca 01 ........

Value 2
Name: HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Gbhe Jvaqbjf KC.yax
Type: REG_BINARY
Data:
00000000 01 00 00 00 12 00 00 00 - 54 87 4f 61 08 2d ca 01 ........

Value 3

Name: HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Flfgrz Gbbyf\Svyrf naq Frggvatf Genafsre Jvmneq.yax
Type: REG_BINARY
Data:
00000000 01 00 00 00 11 00 00 00 - 54 87 4f 61 08 2d ca 01 ........

Saving from REGEDIT to a text file truncates some values, but I think you can get the idea.

Given the number entries and the fact that they are on both my and my wife's computers, I'm hesitant to rip them out until I can find more about them, so any help would be very much appreciated.
 
I don't know if that is malware, but if it is, my brand new Win7 system has it and it's been up less than 4 days.

They are all stored on my system under the UserAssist section of the registry, under a fold called Count. And when I look at the entries, they appear to be hash tables.

Also, theye don't appear to be referencing actual files. All of mine point to either a "P:" drive or a "U:" drive. Neither of which are present in my system.

You could try a Safe boot and run a scanner, but given what I'm seeing, I would strongly suspect they are not symptoms of malware.

And, as a matter of fact, it appears that if it's in the UserAssist section, it's part of the standard Windows registry. See this article:

http://www.accessdata.com/downloads/media/UserAssist%20Registry%20Key%209-8-08.pdf
 
My first quetion is WHY were you in the registry ? the sure way of causing serious problems is to remove registry ites unless you are 100% sure.
as suggested run your antivirus, if you have one, if not then get one.
Carl
 
... that article makes it clear what these registry entries are for and that they're not a result of malware.
I do appreciate your taking the time to post.
 
I have loaded the text below in Edit Pad Lite and did a "Convert > ROT-13".

See below the original text for the ROT-13 version

Original text:
SantaFeBill said:
Key Name: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Class Name: NO CLASS
Last Write Time: 9/3/2009 - 7:42 PM
Value 0
Name: HRZR_PGYFRFFVBA
Type: REG_BINARY
Data:
00000000 45 68 51 0e 01 00 00 00 - EhQ.....

Value 1
Name: HRZR_EHACVQY:%pfvqy2%\Jvaqbjf Zrqvn Cynlre.yax
Type: REG_BINARY
Data:
00000000 01 00 00 00 13 00 00 00 - 54 87 4f 61 08 2d ca 01 ........

Value 2
Name: HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Gbhe Jvaqbjf KC.yax
Type: REG_BINARY
Data:
00000000 01 00 00 00 12 00 00 00 - 54 87 4f 61 08 2d ca 01 ........

Value 3

Name: HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Flfgrz Gbbyf\Svyrf naq Frggvatf Genafsre Jvmneq.yax
Type: REG_BINARY
Data:
00000000 01 00 00 00 11 00 00 00 - 54 87 4f 61 08 2d ca 01 ........
Click to expand...
ROT-13 converted text here

Xrl Anzr: UXRL_HFREF\.QRSNHYG\Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\HfreNffvfg\{75048700-RS1S-11Q0-9888-006097QRNPS9}\Pbhag
Pynff Anzr: AB PYNFF
Ynfg Jevgr Gvzr: 9/3/2009 - 7:42 CZ
Inyhr 0
Anzr: UEME_CTLSESSION
Glcr: ERT_OVANEL
Qngn:
00000000 45 68 51 0r 01 00 00 00 - RuD.....

Inyhr 1
Anzr: UEME_RUNPIDL:%csidl2%\Windows Media Player.lnk
Glcr: ERT_OVANEL
Qngn:
00000000 01 00 00 00 13 00 00 00 - 54 87 4s 61 08 2q pn 01 ........

Inyhr 2
Anzr: UEME_RUNPIDL:%csidl2%\Accessories\Tour Windows XP.lnk
Glcr: ERT_OVANEL
Qngn:
00000000 01 00 00 00 12 00 00 00 - 54 87 4s 61 08 2q pn 01 ........

Inyhr 3

Anzr: UEME_RUNPIDL:%csidl2%\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
Glcr: ERT_OVANEL
Qngn:
00000000 01 00 00 00 11 00 00 00 - 54 87 4s 61 08 2q pn 01 ........

--
Bernd Taeger
 
You must log in or register to reply here.

Similar threads

T
NC_FLLST.DAT - for the Z9 figured out what it's for and deciphered it
Replies
5
Views
29K
Mackiesback
Mackiesback
Harvey Rawn
RX10 Panorama continued
2 3
Replies
58
Views
12K
Harvey Rawn
Harvey Rawn
Josh O
£2000 Do-It-All Kit
2
Replies
31
Views
21K
UncleVanya
UncleVanya
P
Help video vignetting and banding on Olympus OM-D EM-5 II
Replies
4
Views
5
phatonycmu
P
gebseng
E-M5 II roll pitch data in EXIF?
Replies
4
Views
3K
gebseng
gebseng

Keyboard shortcuts

f
Forum
m
My threads
Mobile site
About
Editorial content
Cameras & Lenses
Community
All content, design, and layout are Copyright © 1998–2025 Digital Photography Review All Rights Reserved.
Reproduction in whole or part in any form or medium without specific written permission is prohibited.
When you use DPReview links to buy products, the site may earn a commission.
©GPS Media - Guides, Products, Services.
Back
Top