Jump to content

Possible FP for Vista shell32.dll Registry Entry - Hijack.Trojan.Siredef.C

lmacri

By lmacri
in File Detections

 Share

Recommended Posts

lmacri

lmacri

Posted
Posted

I ran a Custom full system scan on 26-May-2015 with rootkit scanning enabled (malware database v2015.05.26.04 / rootkit database v2015.05.24.01) and had a Hijack.Trojan.Siredef.C detection for registry entry HKU\S-1-5-21-3086198521-800258848-3831315664-1001_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}.  I wasn't unable to find any information on this CLSID when I searched VirusTotal and according to SystemLookup the CLSID {FBEB8A05-BEEE-4442-804E-409D6C4515E9} appears to be a legitimate 32-bit Vista shell32.dll file that was used to launch a file named CDBurn.

This is the first time I've ever run a rootkit scan with MBAM Premium, and I was wondering if this trojan detection is a false positive or an orphaned registry entry for some PUP that was previously removed from my system.  The detection was flagged at the very end of my Custom scan (i.e., during the heuristic scan and not during the rootkit scan) and a Custom full system scan on 23-May-2015 with rootkit scanning disabled (malware database v2015.05.23.01) did not detect any threats.  I've quarantined the registry entry and haven't noticed any obvious problems but I'm concerned that I might have issues down the road with my optical drive if this is a false positive for a legitimate Windows file.

I've attached scan logs for both the 23-May-2015 (no detections) and 26-May-2015 (Hijack.Trojan.Siredef.C detection) full system scans.

-------------
32-bit Vista Home Premium SP2 * Firefox 38.0.1 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.1.6
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

MBAM Custom Scan No Threats 23 May 2015.txt

MBAM Custom Scan with Rootkits Enabled Hijack_Trojan_Siredef_C 26 May 2015.txt

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

 

This is just an orphaned leftover, BUT a valid detection since the Siredef (aka ZeroAccess) does write this key to the HKCU key.

So, you don't have to worry here - it's just an orphaned leftover since this typical variant that altered this is already dead for almost a year

In either way, this wasn't a false positive :)

Link to post
Share on other sites
lmacri

lmacri

Posted
  • Author
Posted

Hi miekiemoes:

Thanks for letting me know this is an orphaned registry entry.  I don't recall having any confirmed malware detections on my system in recent years other than an e-mail attachment infected with Trojan.Klovbot [sophos] that was removed by my Norton AV in July 2014, and I was just curious if this registry entry was a false positive.

I have an issue with my Norton Automatic LiveUpdates failing when MBAM v2.x Malicious Website Protection is enabled and opened a support request five months ago, and Malwarebytes Customer Support still seems convinced that I have malware hidden somewhere on my system.  They haven't found any evidence of active malware in my DDS and FRST logs but asked for new logs yesterday that they're forwarding to a malware removal specialist for a second opinion.  I decided to run a rootkit scan with MBAM yesterday and was a bit alarmed to see a Hijack.Trojan.Siredef.C detection, so it's good to know it's unlikely that I have an active Siredef.C infection on my system even though this registry entry was a valid detection.

-------------
32-bit Vista Home Premium SP2 * Firefox 38.0.1 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.1.6
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

The Norton Automatic LiveUpdates failing - only when the MBAM 2 Malicious Webprotection is enabled should be something else, not malware related.

Can you verify if, disabling the Malicious Webprotection works again for your Norton Automatic LiveUpdates? Because this is really important to know.

 

Thanks!

Link to post
Share on other sites
lmacri

lmacri

Posted
  • Author
Posted

Hi miekiemoes:

 

Yes, it's very consistent behaviour.  If I enable MBAM's Malicious Website Protection (MWP) at Settings | Advanced Settings and re-boot my computer my Norton Pulse Updates and Automatic LiveUdates fail to run to completion, and Norton's Download Insight is unable to connect to their backend servers to check the trust rating of downlowned files - see the screenshot posted in my 07-Dec-2014 thread Norton Pulse Updates Fail when Malicious Website Protection Enabled. If I disable MBAM's MWP and re-boot my computer my Norton updates and Download Insight checks run normally.

 

I recently ran trace routes to the Norton LiveUpdate servers from the command prompt (i.e.,tracert liveupdate.symantecliveupdate.com, tracert liveupdate.symantec.com, tracert liveupdate.symantec.com) and all three traces end in a successful connection to the LiveUpdate servers when MWP is disabled.  However, 2 of these 3 traces consistently end in a general failure when MWP is enabled.  Those trace routes were sent to Malwarebytes Customer Support this week and they asked me to send new MBAM Check and FRST logs (yet again) "to make sure there are no signs of possible infection". I've added various malware and web exclusions in both my MBAM and Norton settings and nothing I've tried seems to solve the problem. :(

 

Your feedback is greatly appreciated, but I realize that the False Positives board isn't the correct forum to be discussing this.  I just wanted you to know why I was so paranoid when I saw the Hijack.Trojan.Siredef.C registry detection with my rootkit scan.

-------------
32-bit Vista Home Premium SP2 * Firefox 38.0.1 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.1.6
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites
lmacri

lmacri

Posted
  • Author
Posted

Hi miekiemoes:

 

Thanks, I'd be grateful for any assistance.  I've been running NIS and MBAM Pro/Premium together in real-time since 2009 and this is the first problem I've run into that couldn't be fixed by adding a few scan exclusions recommended in the forum.

 

I just noticed a typo in my previous post - I mentioned tracert liveupdate.symantec.com twice.  I should have stated that the thrid trace was for tracert update.symantec.com.  When MWP is enabled, the trace routes for liveupdate.symantecliveupdate.com and update.symantec.com both fail on my system while the trace for liveupdate.symantec.com is successful.

 

I should also mention that I tried clean reinstalls of MBAM v2.0.4 and v2.0.6 (mbam-clean-2.1.1.1001.exe) as well as NIS v21.6.0 (Norton_Removal_Tool.exe) and that didn't help either.
-------------
32-bit Vista Home Premium SP2 * Firefox 38.0.1 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.1.6
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.