7 replies to this topic

[StephenS]

I was told to repost my question here rather than the general help forum:


Hello, I recently downloaded MB to get rid of popup windows that were occurring on a client's machine. I have to say it really did a good job since it detected what other products could NOT find. For the most part, it took care of the nasty Vundo.H trojan that it found.

There is one registry key that will NOT go away however. What I find unusual is that it is not in the same registry location that Vundo.H usually puts it. As I have browsed around different forums, I have that most Vundo victims have two registry keys that will not go away. They are the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System

If I had found these two keys, I would be a little less perplexed than I am now, but of course the trojan decided to throw me a curve.

Instead, I have just one key that will re-appear when I log off and log back on. I don't even have to reboot to get it to show up. I have two different accounts that I have used to run the MB program in. When I run MB in one account, it comes up with nothing found. However, when I run it under another account, I get a notification that there is one key remaining. Of course I have removed it with MB as well as manually deleted it, but it just comes right back.

Anyhow, the offending key is this: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System" As you can see, it's a little different than the preceding keys that other users have reported problems with. Everything except the first value is the same though. This is also why I just have to log off and log back on for it to return since it's based on the user that is logged in.

Anyhow, any ideas why it would show in this location and not in the Local Machine key like it usually does? I'd like to get rid of this of course, but I wonder if this is another variant other than what the other people have been infected with. As I stated before, all other tests come out clean when logged in as a different user and the machine doesn't show ANY symptoms of being infected. It's just this one key decides to stick around after logging in again as this one user.

I know this is a forum where you are supposed to post Hijack this Logs, but the person who owns this computer does not wish me to use that program since the only thing left is this one registry key. (yeah it's weird, but that was their request) I'm really sorry about not posting one as I know you guys want to see those logs to try and fix these things. However, as I do not see any additional symptoms on the computer except for this one key sticking around, I can understand why they feel that way about it. If you guys think the HijackThis log is absolutely necessary to determine why this one key is coming back, I'll do what I can to convince the person to let me run that program and post it anyway.

[AdvancedSetup]

Hello Stephen,

Can you please post the MBAM log so we can see that. Then download this tool and shut down ALL software, AV, etc and disconnect from the Internet and run it.


RootRepeal - Rootkit Detector
[indent]

• Please download the following tool: RootRepeal - Rootkit Detector
  
• Direct download link is here: RootRepeal.rar
  
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  
• Extract the program file to a new folder such as C:\RootRepeal
  
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the same location where you ran it from, such as C:\RootRepeal
  
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
  
• This makes it more easy to track who the log belongs to.
  
• Then open that log and select all and copy/paste it back on your next reply please.
  
• Quit the RootRepeal program.

[/indent]

[StephenS]

Thanks for the fast reply.

I have a quick question about running that rootkit. This particular username that is infected is attatched to a domain. In order to disconnect from everything, I will have to use a different username entirely. Is that going to matter? I only ask this since there have been no other problems of any kind attached to any other username on this computer. Will the rootkit scan work on there just as it would on the affected account?

[StephenS]

Also, here is the latest log for MBAM:

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 2

2/20/2009 8:53:30 PM
mbam-log-2009-02-20 (20-53-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 100324
Time elapsed: 14 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[AdvancedSetup]

Yes, if it is a rootkit it works at a very low level and doesn't care about accounts.

Couple issues.

1. By default the same account you logon with on the Domain is cached and can be used up to 10 times
2. To be safe though, ensure you know the local Admin password.


There are other tools we can use to "blow" it out, but I'd like to try to capture it so that we can add it to MBAM so that it can be automatically removed for other users as well.

[StephenS]

AdvancedSetup, on Feb 21 2009, 03:16 AM, said:

Yes, if it is a rootkit it works at a very low level and doesn't care about accounts.

Couple issues.

1. By default the same account you logon with on the Domain is cached and can be used up to 10 times
2. To be safe though, ensure you know the local Admin password.


There are other tools we can use to "blow" it out, but I'd like to try to capture it so that we can add it to MBAM so that it can be automatically removed for other users as well.

Haha I forgot about the default cached domain credentials. I should have remembered that too since I had to disable that on another workstation for a security reason. Yeah, I do know the local admin password so there's no problem there. I may not be able to get to this until a couple days though. Other issues have called me away from that machine for the time being so I can only manage it remotely. I keep checking on it though and MBAM is only reporting that one registry key when I log in to it so it's not creating anything new. At least I know that no new infections are popping up on it. Thanks again for the response and I'll let you know what I find out about it.

[AdvancedSetup]

Okay, let us know how it goes.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.