Jump to content

Infected Registry Key or Something Else?


Recommended Posts

A few days ago my system was hit by what's listed in - mbam-log-2011-06-18 (16-46-29)

It took some effort to clean though thankfully no damage was done. I did have to get rid of the .exe's that got their way into the Windows folder manually though in Safe Mode. Since then I've done full scans in safe mode & normal mode, scans with Malwarebytes, my virus software, and other assorted software. Anything they found was cleaned and extensive follow up scans have since been spotless.

However...as seen in mbam-log-2011-06-19 (04-55-22)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STISVC32 (Trojan.Tracur) -> Quarantined and deleted successfully.

I scan with Malwarebytes (be it quick or full) and it finds this infected key, quarantines it, and with a reboot it's gone. If I do a total system shutdown and then boot up again, the infected key returns. I scan again with Malwarebytes and voila it deletes, reboots, and all is well until I shutdown.

After some research the closest thing I found was STISVC32.exe, a well documented threat which adds in its own registry keys and what have you, thing is all I get in ANY scan is the key above and nothing more, no .exe or known registry keys. I know STISVC is a legit part of windows but I can't find ANY info on what causes the infected key I have or what its even related to. Nothing else has popped up in subsequent scans.

What is this odd key? is it a legit part of windows? or is this key being associated with another threat and just a false positive?

Any help would be appreciated.

mbam-log-2011-06-18 (16-46-29).txt

mbam-log-2011-06-19 (04-55-22).txt

Link to post
Share on other sites

Hi and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Thank you for your time. I performed the scan & the results are attached below.

However I now have strong suspicions I too may have been hit by the google redirect threat going around. I've noticed the symptoms in my browser & though not ALL my searches are being compromised I've got the "if page does not automatically redirect please click here..." page & warnings from WOT and such about unsafe pages.

I am assuming my issue above may be related to this infection.

dds.txt

Link to post
Share on other sites

Hi again, can you please post also attach.txt created by DDS?

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Hello again, below you'll find what was asked for.

I've run TDSS killer with no results found. Yet when I do searches I will see 2 versions of the URL I am looking for or I click & get the "click here to redirect" instructions. I go BACK and reload the link and tend to go to the desired URL. I'm a bit at a loss as to what to do next really.

attach.txt

Link to post
Share on other sites

Hi again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Hi again, please let me know how things are running after the following fix.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


File::
c:\documents and settings\Tequila\xvgpaosfnn.tmp

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Here is the log. I did a scan after this was done & spyware doctor found & repaired a slew of issues but everything else came up clean. It was odd because scans prior to this came up clean. Since doing a reboot the Infected Registry Key has popped up again.

log.txt

Link to post
Share on other sites

Hi again, let me know if it still comes up after running the following fix.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:



Driver::
stisvc32

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

I ran the script as directed and it seems to have solved the issue! No more infected registry key coming up & the Google redirect issue from before has not surfaced again. THANK YOU! I could not have done this alone.

One thing I noticed however was - after running the script & scan and I turned on my security software spyware doctor did it's scan & found Trojan.Downloader.Murlo & Trojan.Generic

This was ONLY found after I did the combofix scans. Spyware Doctor did it's thing cleaning & quarantining them & subsequent scans have come up clean. Nothing else has detected these threats so should I assume they are taken care of or laying dormant on my system and now need to be more aggressive to make SURE they are not around?

Lastly - what would be a good tool to clean my registry of either threats or to get rid of leftover entries caused by past issues? I was looking through it an saw registry keys that look to be related to Troj/Mancsy-Gen such as ClipSrv32 however the EXE (dssec32.exe) that particular key is looking form does not seem to be on the system.

I've done full scans & nothing pops up but I'm sure it's best NOT to have these key laying about.

log.txt

Link to post
Share on other sites

Hi again, I do NOT recommend the use of registry cleaners. Using the scripts and programs like MBAM, most leftover registry entries should already have been cleaned.

Unless it is a loading point, an orphaned registry entry is perfectly harmless. In any case, do NOT edit your registry without making a backup first: a lot more damage is done by incorrectly editing the registry than by leaving an orphaned entry in place.

I was looking through it an saw registry keys that look to be related to Troj/Mancsy-Gen such as ClipSrv32
What key did you see this in?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 26 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-6u26-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

I found this when I was checking things in regedit. I didn't edit or delete anything, just noticed this & when expanded I saw a reference to dssec32.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv32

So it has me wondering of other such keys exist is all. If they are orphaned & pose no threat though then I'd rather not screw up my registry obviously.

ESET found quite a bit so I'm hoping that's the last of it.

ESETscanOne.txt

Link to post
Share on other sites

ESET detected only system restore/quarantine objects.

We can get rid of the ClipSrv32 service, but the file isn't there any more.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Driver::
ClipSrv32

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Ran the script & the log is below.

Spyware doctor did the same thing of finding & cleaning trojan-Downloader.Murlo & trojan.Generic after I started it up again after running combofix. Not sure why it's only doing it then as subsequent scans come up clean.

Malwarebytes comes up clean also.

log3.txt

Link to post
Share on other sites

Spyware Doctor is known for its false positive detections, so I wouldn't give too much importance to it.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Thank you! My system & browsers in particular are running better and much more stable for sure. I'll be reading all the links & keeping everything updated much better now. I definitely don't want this to happen again. Again, thank you!

I initially used Defogger to Disable CD-ROM Emulation Software - do I now enable those drivers again?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.