Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

I think I am infected with something


Recommended Posts

Adwcleaner picks these keys up:

Key Found:  HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}

I remove them with Adwcleaner and reboot for them only to be there again.

I then used Emsisoft emergency kit to do a scan being curious if it would find anything else and it does

these are the keys Emsisoft emergency kit finds:

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}

Once the scan is complete with Emsisoft I then quarantine and assume all is ok.

But this is not the case. After reboot I scan again and the keys are yet again found.

So I check in my registry to find other things associated with these keys and I find:

NTService.Control.1

_DNtSvc

related to these keys.

Of course before coming here I searched around online finding many topics and virus related pages to do with these keys.

The trouble is I can't find which process is resposible for creating these keys and also that these keys can unknowingly be installed with a software.

I'm not sure why Malware bytes premium isn't detecting any changes or picking up on this. Kaspersky Internet security also doesn't seem to find anything wrong.

I've done a FRST scan and have attached the logs. Any help on this will be much appreciated.

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi there I still have the same happening over and over.

Here are some more logs.

One for Adwcleaner

and one from Emsisoft emergency scanner which lists this as being SmartService trojan

but i've looked up about smart service disabling security programs, none which have happened to me.

I've done some further reading and these keys in my previous post seem to be more related to Yelloader or Bancos.

I still can not find any procesess creating these keys, also I went in to safe mode and scanned and the funny thing is the scans came back empty

but if I boot in to windows as usual and then do a scan the keys are present again. Could these keys be stuck in memory ?

why do they keep returning even after being cleaned with Adwcleaner and Emsisoft, and why isn't Malware bytes premium picking this up ?

I also did a rootkit scan with the actual Malware bytes standalone rootkit scanner but it turned up empty too.

Attached the logs. So any help when you are free would be much appreciated guys, i'm not totally sure if this is a serious infection or not

or just some stubborn keys that are hard to remove or being loaded by remnants of a previous infection I didn't even know I had.

AdwCleaner[S243].txt

scan_170504-045014.txt

Link to post
Share on other sites

Happy to say that I cleaned this annoying infection up. Everything pointed to a file named NTSVC.ocx which was located in the SYSWOW64 folder.

I quarantined the file in Emsisoft emergency scanner as it allows you to add files to the quarantine. This was after removing all the registry keys created by NTSVC.ocx

I think it would be very handy if Malware Bytes Premium had such an option to add any file to quarantine, definitely consider this guys.

Perhaps also add the detections in to Malware Bytes Premium since it did not pick this up once at all.

I have done several scans and registry searches since and it is completely gone. Nuked. I also disabled system restore before doing any of what I have mentioned

so its important to do this too with system restore, delete any back ups it has created as you don't want this coming back, let me tell you it is annoying as f***

This file is created by whatever nasty little bit of kit lands on the system and creates all the registry keys I mentioned in my above posts.

It also seems that whatever this is (was), it goes by many names since those registry keys are mentioned a lot in relation to other infections.

Tools I used to track this down and get rid of it were:

RegShot by maddes, xhmikosr, regshot:  take a snap of your registry before and after, very helpful.

MiniRegTool64 by FarBar. Helped find other hidden keys with the same values as the registry keys I posted.

Regedit by Microsoft

RKILL by Bleeping Computer

Emsisoft emergency scanner by Emsisoft

AdwCleaner by fr33tux

My Brain by Me

I am no longer infected with this. I helped myself. You can now close this. Cheers.

Link to post
Share on other sites

Hi Aura all is good here. As far I know a week after my last post everything seems fine on my PC. I'm still doing regular checks and even checking to see if those registry keys appear again, but they haven't returned and neither has the file I quarantined. If I ever do stumble in to some little nasties again i'll be sure to post about it here at the forum.

What is really interesting about the infection is that many other infections seem to use those registry keys as if they are an easy exploit or target on a Windows system, its got me studying more about it and the whole world of malware viruses worms and trojans. Its also made me paranoid again which isn't a bad thing :D I seem to have got a bit relaxed with my security, a mistake i'm not going to make again. 

Thanks for asking Aura :)

Link to post
Share on other sites

Feel free to comeback for a check-up if you ever feel that you are infected again, we'll be happy to help you!

Quote

What is really interesting about the infection is that many other infections seem to use those registry keys as if they are an easy exploit or target on a Windows system

Most malware uses the same Reg Loading Points (that's how we call them), so once you learn to recognize them, it's kind of easy to identify infections, how to launch and how to stop them.

And no problem k9876, you're welcome :) 

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.