vizion

Registry - deletions prevented

22 posts in this topic

Malwarebytes' Anti-Malware 1.28

Database version: 1161

Windows 5.1.2600 Service Pack 3

22/09/2008 09:29:00

mbam-log-2008-09-22 (09-28-40).txt

Scan type: Quick Scan

Objects scanned: 53025

Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

:

:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

:

:

After scan the Remove is clicked and deletion on reboot indication is given - however the entries are NOT deleted on reboot.

Attempts to delete the registry entries manually also fail (including attempts whilst in safe mode

There seems to be something unusual with permission settings.

Attempts to change permission settings also fail.

I have searched for guidelines to deal with registry entries that appear to be locked out to prevent changes but so far found nothing useful.

Thanks in advance

David

Share this post


Link to post
Share on other sites
There is other malware we are missing here .

Please download and run HijackThis :

http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Select the first option (Do a system scan and save a logfile) .

Copy and paste the contents of that log into your next post .

Done all that and it does not help because nothing is revealed by hijackthis. The problem seems to be related to registry permissions. After using so many Malware tools I have finally found something that seems to tell me what is going on.

Using subunacl.exe downloaded from microsoft technet I ran:

subinacl /subkeyreg \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Explorer /display >C:\mydir\myfilename

Opening the file I got a string of information about all the permission for all the keys/subkeys in Explorer BUT GUESS WHAT the lines for

Browser Settings were:

: 5 Access denied

: 6 Unable to enumerate subkeys

My file size is 3,647kb and no other key or subkey produces that response.

So this seems to explain why malwarebytes was unable to delete the keys and why it was not able to do so on reboot. I am going to try a few more things but I thought you might be interested to know. These registry entrioes were a hang over from malwarebytes deleting avifil3.dll which was successfully removed from the system leaving these weird entries in the register behind.

David

Share this post


Link to post
Share on other sites

Just for the record Hijackthis log shows:

Logfile of HijackThis v1.99.1

Scan saved at 18:20:13, on 22/09/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\David Southwell\Application Data\Mozilla\Profiles\default\vk9m06fi.slt\prefs.js)

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

Complete scan by eset online showed clean system

malwarebytes shows clean apart from the registry entries

David

Share this post


Link to post
Share on other sites

[MsmqIntCert] regsvr32 /s mqrt.dll

Interesting file... Can you attach it please?

Share this post


Link to post
Share on other sites

ID: 6   Posted (edited)

ZIP File attachedn includes search of all locations found for the file

Edited by JeanInMontana
remove malicious file

Share this post


Link to post
Share on other sites

Please run HijackThis again , this time make sure to copy the complete log , most of yours was missing last time .

Share this post


Link to post
Share on other sites

Also please use the version of HijackThis I posted a link to , the one you are using is outdated .

Share this post


Link to post
Share on other sites

Sudden thought

I ran hijack list when I logged on to this computer -- but the person who normally uses PFast naturally has a different profile -- I only use the system when there are problems!!

SO I have run another hijackthis and have attached the log which you might find even more interesting

David

hijackthis_User2_2008_09_22.txt

hijackthis_User2_2008_09_22.txt

Share this post


Link to post
Share on other sites

The keys you have being detected in your log are likely being proteted by the malware that uses them and that is why you cant delete them .

Download , unzip and run GMER : http://www.gmer.net/gmer.zip .

Do not click the scan button , just click copy once the main window opens .

Make a new post and paste the results .

Share this post


Link to post
Share on other sites

Here it is..

You are right on the nail.

The weird thing is that nhvjgpmc looked a bit odd to me but I had no way of checking it out..

Where do we go from here??

Thanks for sticking with this and pushing me in the right direction

David

gmer_log.txt

gmer_log.txt

Share this post


Link to post
Share on other sites

We have a winner . Ok , this part is not going to be as easy as the others so take it slow.

First rerum GMER , click the >>> tab to expand all the tabs , click files .

Now use the + buttons in the left pane to expand to C:\windows\system32\drivers , click drivers to highlight it and make GMER show the files in the drivers folder in the right pane .

In the right pane find smupsrin.dat , click it to highlight it . On the right side of the window click copy . Browse to your desktop and save the file as file (no extenssion) . Make sure to not save the file as its actual name or the rootkit will protect it as well .

Now with the file still highlighted select kill . Click the rootkit/malware tab and find this :

Service system32\drivers\smupsrin.dat (*** hidden *** )

Click this line to highlight it . Right click this line and select delete service , click ok/yes through any warnings .

Reboot your system . Run GMER again , if that line does not come back then the rootkit is dead .

C:\system32\drivers\smupsrin.dat <- search for this file and if found , cut and paste to your desktop (dont worry , if there it is in a dead form now) .

Now start a new thread here :

http://www.malwarebytes.org/forums/index.php?showforum=55

Zip and attach the file you copied with GMER and if found , the dead file you cut and pasted from drivers to your new thread . I will use the file(s) to improve MBAM's ability to detect this rootkit .

Now run a MBAM scan and remove those registry entries , they should go without any further resistance .

Share this post


Link to post
Share on other sites
We have a winner . Ok , this part is not going to be as easy as the others so take it slow.

First rerum GMER , click the >>> tab to expand all the tabs , click files .

Now use the + buttons in the left pane to expand to C:\windows\system32\drivers , click drivers to highlight it and make GMER show the files in the drivers folder in the right pane .

In the right pane find smupsrin.dat , click it to highlight it . On the right side of the window click copy . Browse to your desktop and save the file as file (no extenssion) . Make sure to not save the file as its actual name or the rootkit will protect it as well .

Now with the file still highlighted select kill . Click the rootkit/malware tab and find this :

Service system32\drivers\smupsrin.dat (*** hidden *** )

Click this line to highlight it . Right click this line and select delete service , click ok/yes through any warnings .

Reboot your system . Run GMER again , if that line does not come back then the rootkit is dead .

C:\system32\drivers\smupsrin.dat <- search for this file and if found , cut and paste to your desktop (dont worry , if there it is in a dead form now) .

Now start a new thread here :

http://www.malwarebytes.org/forums/index.php?showforum=55

Zip and attach the file you copied with GMER and if found , the dead file you cut and pasted from drivers to your new thread . I will use the file(s) to improve MBAM's ability to detect this rootkit .

Now run a MBAM scan and remove those registry entries , they should go without any further resistance .

That has been done see:

http://www.malwarebytes.org/forums/index.php?showtopic=6455

Share this post


Link to post
Share on other sites

mqrt.dll <- Turned out to be nothing , just suspicious looking .

I got that rootkit file and new defs are already in the database for it .

Your system should be completely clean now .

Share this post


Link to post
Share on other sites
mqrt.dll <- Turned out to be nothing , just suspicious looking .

I got that rootkit file and new defs are already in the database for it .

Your system should be completely clean now .

Yep sure is ..

Thanks to you

Great work

david

Share this post


Link to post
Share on other sites
Yep sure is ..

Thanks to you

Great work

david

I updated and applied the update to each machine (1 XP Pro 64 [sleuth64]+ 1 x XP Pro 32[sleuth] + 1 Xp Pro 32 (PFast).

Sleuth 64 & Sleuth passed completely clean HOWEVER your latest updated unearthed two more problems on PFast. I have attached the malwarebytes log file.

Do you need any more info0?

David

mbam_log_2008_09_23__14_17_41_.txt

mbam_log_2008_09_23__14_17_41_.txt

Share this post


Link to post
Share on other sites

Those are traces picked up from recent research , likely left over from this very infection .

See how only reg items are detected and no files ? If there was a file attacked to them I would be worried but everything should be set now .

Share this post


Link to post
Share on other sites
Those are traces picked up from recent research , likely left over from this very infection .

See how only reg items are detected and no files ? If there was a file attacked to them I would be worried but everything should be set now .

OK I thought I would double check so I am running HiJackThis on each of the Systems starting with the ones that appeared clean. IF/when you get a chance I would really appreciate it if you could take a look at the logs. I know these damn trojans have a habit of infecting systems on the same network especially when, as in this case, there is extensive use of network shares. As we have cleared one I would like to be reasonably sure about the others.

Attached is the HiJack this log file from Sleuth.

This machine is soemtimes extremely slow and has the following notification error after login:

Keyhook.exe - Entry point not found

The procedure entry point ? DDrawSupportGetDriverName@CSISEsc@@QAEHPADH@Z could not be located in the dynamic link library SiSApCom.dll

When you get a chance.

Thanks

David

hijackthisSleuth_2008_09_23.txt

hijackthisSleuth_2008_09_23.txt

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.