TechSpot

[Inactive] Trojan in registry software hive

By gamc
Mar 7, 2010
  1. Avast detected a trojan when exporting the registry Machine_software key as hive file using regedit.

    The key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Y5IQNZ80Y look suspicious and after deleting this key from the registry avast reported that the exported hive file was clean.

    However the software hive file in the system32\config folder was still infected.
    To solve this problem I used Erunt to backup the resgrity hives and then Ntregopt to re-generate the registry hives (both tools written by Lars Hederer and highly recommended in other forums).

    After re-boot a new registry backup with Erunt was scanned with avast and this was clean.

    A previous thread for a similar problem was abruptly closed.
    There may be people interested in a solution to this problem.
    This is the only reason for me posting this.
     
  2. mak50

    mak50 TS Rookie

    you better use Hijackthis and send the log.
    mostly in avast some unsuspicious file may listed as suspicious file.
    i suggest to use AVG or ANTIVIR.
     
  3. gamc

    gamc TS Rookie Topic Starter

    I used different tools and none found a problem in the resgistry nor the registry hive file (except avast)
    The software hive is not scanned while the file is in use in windows and none of the
    tools found a problem when scanning the System Volume Information folder (except avast)
    The tools I used are:
    HijackThis
    Malwarebytes
    SuperAntispyware
    Adware
    Hitman Pro
    Dr Web
    Kasrpersky Virus removal Tool
    Spyware Doctor
    SpyHunter
    ComboFix

    If you still wish to see the Hijackthis log let me know and I will post it.
    The trojan infection detected by avast has now gone after using Ntregopt.
    Before changing anything in the registry backups were created.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    gamc

    Do you still need help with your computer?
     
  5. gamc

    gamc TS Rookie Topic Starter

    Broni

    I have been monitoring my PC and so far no problems.
    I will scan the infected file using other anti-virus software tomorrow and post the result.
    This is just to see if only avast detects a trojan.

    Thanks
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I am curious- what is Avast doing exporting the Registry?
    Why are you using regedit?
    Do you understand that you don't delete something- especially in the Registry- because it looks suspicious?

    System Volume is where the restore point are kept. If the system is clean and a scan shows malware in System Volume, it is not a threat to you.

    When we complete the cleaning of a system, we have the user drop all the old restore points and create a new, clean one. This was all explained to you previously.

    Threads are not abruptly closed. The thread was closed because when your helper was trying to find and remove malware, you were making changes in the Registry. Any Registry changes will affect the system. That was explained to you.
     
  7. gamc

    gamc TS Rookie Topic Starter

    I have scanned the file that avast reported had a trojan using McAfee (in another PC) and no infection was found.

    So far I have not found any other tool that detects an infection.
    It may be that avast is reporting a false positive.
    I submitted the file to avast 10 days ago but had not received a reply.
    I have not found a similar problem to the one that I had in my PC.
    My PC is still clean. I will leave this thread open for one day and then close it

    Some clarifications for Bobbye
    Regedit exports the registry key as a reg file, as a text file or as a hive file (you can choose which)
    Avast does not export registry keys only scans the files and the file in the hive format was reported to be infected with a trojan.

    "suspicious" key is an entry that I could not track to anything that I installed, was not present in the registry of a my laptop and another PC, and no reference was found in the Internet.
    Before deleting any key always backup (export the key as a reg file)

    I have sufficient knowledge and experience to know what I am doing and always take precautions to "undo" possible mistakes.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    OK, so what's the current status of your computer?
    Any issues?
     
  9. gamc

    gamc TS Rookie Topic Starter

    After 5 days of monitoring the computer everything is working fine.
    I consider that the problem has been solved.

    Two questions remain that I have not been able to answer:
    Was avast detecting a false positive?
    Was the deleted registry HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Y5IQNZ80Y
    related to malware/trojan/virus?
     
  10. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    It's really impossible to know the answer just by looking at registry key.
    I tell you what....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. gamc

    gamc TS Rookie Topic Starter

    Thanks Broni

    I used ComboFix last week on the 4th of March 2010.
    I could not find anything pointing to the initial problem that avast detected.
    But I could have missed something.

    If you like I can upload the ComboFix and HijackThis logs taken on the 4th of March.
    I have also a text file of the registry key Y5IQNZ80Y which lists binary data.
    I do not know if this is any use. I have no time to spare looking at it in detail.

    Is it really worthwhile trying ComboFix again?
    I am currently cleaning left overs of the tools that I have used to try to solve the initial problem.
    That is deleting several folders (mostly empty) just with a log file and some drivers which
    even after unsintalling the tools were left in the windows\system32\drivers folder.

    I really appreciate your offer to help
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    I'd like to see fresh Combofix log along with HJT log.
     
  13. gamc

    gamc TS Rookie Topic Starter

    Hi Broni,

    Not been able to run ComboFix due to lack of time.
    I have not been using the computer since Friday night except for a few minutes today
    and got a HJT log.
    I will be away for the next ten days.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    That's fine. Let me know, when you're back.
    Have a nice trip :)
     
  15. thechicola

    thechicola TS Rookie

    i have de same problem, can you say me, if you can fix that problem.???
     
  16. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    thechicola
    You need to start your own topic.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Just keeping the topic alive, so it won't get locked.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.