I was having a hard time trying to work out why the Teknum Systems updater program kept re-appearing in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key, even when it was deleted. At seemingly random intervals, TeaTimer (part of the SpyBot S&D suite) would pop up and tell me it had detected that this entry had re-appeared yet again. I couldn't work it out. I denied the change each time (explicitly not telling it to remember the decision because I wanted to track it down).
This isn't my computer, and the program that was causing it - EasyCrypto from Teknum Systems - had already been installed by someone else. I had removed it and removed its folder, since I knew it wasn't good, but it wasn't until I installed TeaTimer that I found out it was still trying to reappear. It didn't appear in HijackThis and SpyBot couldn't help.
Eventually, I cottoned on to the fact that it only tried to add itself to the Run key when I copied a file with Ctrl-C or right-clicked on a file. This made me even more confused, since I couldn't understand what sort of thing would trigger when I copied a file. Even worse, it was still happening in Safe Mode - obviously TeaTimer wasn't running but I could see with regedit that the entry was still appearing.
Eventually, I noticed that when I right-clicked on a file I would have in the context menu an option to "Add to EasyCrypto ZIP". Searching for this in regedit, I found this key:
Examining it, it turned out to be a shell extension installed by EasyCrypto. The DLL file it referenced - C:\WINDOWS\system32\tsseCryp.dll - was checking to make sure the Updater was still in the Run key and adding it if not. Deleting the registry key solved the problem as it ensured the DLL wasn't called any more. The DLL was still in use so I couldn't delete it but I'm sure I'll be able to next time I reboot.
I hope this helps anybody who's tearing their hair out like I was, and I would like to humbly suggest that Explorer shell extensions are also listed in HijackThis as I can imagine some nasty things being done without the user's knowledge in there.
Edited by Ciaran, 13 December 2005 - 08:30 AM.